CVE-2025-34222

Name of the Vulnerable Software and Affected Versions Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 Vasion Print (formerly PrinterLogic) Application versions prior to 20.0.2786

Description The Vasion Print Virtual Appliance Host and Application expose administrative routes without authentication. Specifically, the following API endpoints are affected: /admin/hp/cert upload, /admin/hp/cert delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid}. These routes are defined in the /var/www/app/routes/web.php file within the printercloud/pi Docker container and are managed by the HPCertificateController class, which lacks user validation. An attacker can upload replacement TLS/SSL certificates, delete existing certificates, or download CA and client certificates via an IDOR vulnerability affecting the serviceclients endpoint, allowing enumeration of all client IDs. The vendor has identified this issue as V-2024-028 — Unauthenticated Admin APIs Used to Modify SSL Certificates.

Recommendations Update Vasion Print Virtual Appliance Host to version 22.0.1049 or later. Update Vasion Print Application to version 20.0.2786 or later.