Unauthenticated Access Vulnerability in Vasion Print Virtual Appliance by PrinterLogic
CVE-2025-34220

6.9MEDIUM

Key Information:

Vendor

Vasion

Status
Print Virtual Appliance Host
Print Application
Vendor
CVE Published:
29 September 2025

What is CVE-2025-34220?

The Vasion Print (formerly PrinterLogic) Virtual Appliance and Application have a significant vulnerability that allows an unauthenticated remote attacker to interact with the /api-gateway/identity/search-groups endpoint without requiring credentials. By sending requests to the specified URL and manipulating the Host header, attackers can enumerate all group objects associated with a tenant. This includes sensitive information such as internal identifiers like group IDs, Azure AD object IDs, timestamps, and tenant IDs. Although this issue has been reportedly remediated, the exact date when the patch was implemented remains ambiguous.

Affected Version(s)

Print Application * < 25.1.1413

Print Virtual Appliance Host * < 25.1.102

References

https://pierrekim.github.io/blog/2025-04-08-vasion-printe...
technical-description
https://help.printerlogic.com/va/Print/Security/Security-...
vendor-advisorypatch
https://help.printerlogic.com/saas/Print/Security/Securit...
vendor-advisorypatch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Barre
JSON
.
CVE-2025-34220 : Unauthenticated Access Vulnerability in Vasion Print Virtual Appliance by PrinterLogic