CVE-2025-34224
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-09

Assigner: VulnCheck

Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-09
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34224
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vasion virtual_appliance_application to 20.0.2786 (exc)
vasion virtual_appliance_host to 22.0.1049 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34224 is a critical vulnerability in Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application versions prior to 22.0.1049 and 20.0.2786 respectively. It exposes a set of PHP scripts under the 'console_release' directory without requiring any authentication. This allows an unauthenticated remote attacker to invoke these endpoints to re-configure networked printers, add or delete RFID badge devices, or modify device settings. Essentially, attackers can modify devices without any authentication, which is a severe security risk. [1]

Impact Analysis

This vulnerability can have a severe impact as it allows unauthenticated remote attackers to modify networked printers and RFID badge devices. This can lead to unauthorized changes in device configurations, potentially disrupting printing services, compromising device integrity, and enabling further attacks within the network. The vulnerability has a CVSS v4 base score of 10.0, indicating a critical risk with high impact on confidentiality, integrity, and availability. [1]

Detection Guidance

Detection can be performed by scanning for the presence of the exposed PHP scripts under the `console_release` directory on the Vasion Print Virtual Appliance Host or Application. Since these endpoints do not require authentication, an unauthenticated HTTP request to these scripts can confirm vulnerability. For example, using curl or wget to access URLs like `http://<target>/console_release/` and checking for accessible scripts or responses indicating device modification endpoints. Network scanning tools can also be used to identify the affected versions prior to 22.0.1049 (Host) or 20.0.2786 (Application). [1]

Mitigation Strategies

Immediate mitigation steps include upgrading the Vasion Print Virtual Appliance Host to version 22.0.1049 or later and the Print Application to version 20.0.2786 or later, as these versions address the vulnerability by requiring authentication for the affected PHP scripts. Additionally, restricting network access to the `console_release` directory by firewall rules or network segmentation can reduce exposure. Monitoring and blocking unauthenticated access attempts to these endpoints is also recommended until the update is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart