CVE-2025-34223

Name of the Vulnerable Software and Affected Versions Vasion Print versions prior to 22.0.1049 Vasion Print Application versions prior to 20.0.2786

Description The Vasion Print Virtual Appliance Host and Application contain a default admin account and an installation-time endpoint at /admin/query/update database.php accessible without authentication. An attacker can POST arbitrary root user and root password values to this endpoint, replacing the default admin credentials with attacker-controlled ones. The script includes hard-coded SHA-512 and SHA-1 hashes of the default password, bypassing password policy validation. This allows an unauthenticated remote attacker to gain full administrative control of the system during initial setup.

Recommendations Update Vasion Print Virtual Appliance Host to version 22.0.1049 or later. Update Vasion Print Application to version 20.0.2786 or later.