CVE-2025-34216
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-09

Assigner: VulnCheck

Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-09
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34216
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vasion virtual_appliance_application to 20.0.2702 (exc)
vasion virtual_appliance_host to 22.0.1026 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application in certain versions. It exposes unauthenticated REST API endpoints that return configuration files and clear-text passwords, including the Laravel APP_KEY used for cryptographic signing. An attacker who obtains the APP_KEY can craft malicious payloads accepted by the application, leading to remote code execution on the appliance. [1]

Impact Analysis

The vulnerability can lead to remote code execution on the affected appliance without any authentication or user interaction. It also leaks sensitive information such as clear-text passwords and cryptographic keys, which can compromise confidentiality, integrity, and availability of the system, potentially allowing attackers to fully control the appliance. [1]

Detection Guidance

Detection involves identifying if your Vasion Print (formerly PrinterLogic) Virtual Appliance Host or Application is running a vulnerable version (Host prior to 22.0.1026, Application prior to 20.0.2702) and checking for unauthenticated access to REST API endpoints that expose configuration files and clear-text passwords. You can attempt to access the API endpoints without authentication to see if sensitive data is returned. Specific commands are not provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the Vasion Print Virtual Appliance Host to version 22.0.1026 or later and the Application to version 20.0.2702 or later. Restrict access to the REST API endpoints to authenticated and authorized users only, and monitor for any unauthorized access attempts. Since the vulnerability allows remote code execution and leaks sensitive information, patching is critical. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart