CVE-2025-34205

Name of the Vulnerable Software and Affected Versions Vasion Print Virtual Appliance Host versions prior to 22.0.843 Vasion Print Application versions prior to 20.0.1923

Description Vasion Print contains dangerous PHP dead code in multiple Docker-hosted PHP instances. A script located at /var/www/app/resetroot.php lacks authentication checks and, when executed, performs a SQL update that sets the database administrator username to root and its password hash to the SHA-512 hash of the string password. Commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($ SESSION['osdata']))—a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can reset the MySQL root password and obtain full database control, potentially leading to full remote code execution and system compromise.

Recommendations Vasion Print Virtual Appliance Host versions prior to 22.0.843 should be updated to version 22.0.843 or later. Vasion Print Application versions prior to 20.0.1923 should be updated to version 20.0.1923 or later.