PT-2025-39879 · Printerlogic · Vasion Print Application+2
Pierre Barre
·
Published
2025-09-29
·
Updated
2025-09-29
·
CVE-2025-34209
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Vasion Print versions prior to 22.0.862
Vasion Print Application versions prior to 20.0.2014
Description
The Vasion Print Virtual Appliance Host and Application contain Docker images with a private GPG key and its passphrase stored in cleartext. The key belongs to the account
no‑reply+virtual‑appliance@printerlogic.com. An attacker with administrative access can extract the private key and use it to decrypt GPG-encrypted files and sign malicious firmware update packages. A successfully uploaded and executed malicious update grants the attacker full control of the virtual appliance. The vulnerable key is hardcoded in files.Recommendations
Update Vasion Print Virtual Appliance Host to version 22.0.862 or later.
Update Vasion Print Application to version 20.0.2014 or later.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vasion Print
Vasion Print Application
Vasion Print Virtual Appliance Host