Server-Side Request Forgery in Vasion Print Virtual Appliance and Application
CVE-2025-34228

8.8HIGH

Key Information:

Vendor

Vasion

Status
Print Virtual Appliance Host
Print Application
Vendor
CVE Published:
29 September 2025

What is CVE-2025-34228?

Vasion Print, previously known as PrinterLogic, has a vulnerability in its Virtual Appliance Host and Application that exposes a server-side request forgery (SSRF) risk. This occurs through an unauthenticated script located at /var/www/app/console_release/lexmark/update.php, which can be accessed from the internet. The flaw arises as the PHP script constructs URLs using user-supplied inputs and executes them via curl_exec() or file_get_contents() without adequate input validation. Consequently, external attackers have the potential to manipulate the server into making requests to its internal resources, paving the way for network reconnaissance, potential data exfiltration, or the ability to pivot within the internal network. Although there is a fix available, the specific timing of when the patch was deployed remains unspecified.

Affected Version(s)

Print Application * < 25.1.1413

Print Virtual Appliance Host * < 25.1.102

References

https://pierrekim.github.io/blog/2025-04-08-vasion-printe...
technical-description
https://help.printerlogic.com/va/Print/Security/Security-...
vendor-advisorypatch
https://help.printerlogic.com/saas/Print/Security/Securit...
vendor-advisorypatch

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Barre
JSON
.