Blind Server-Side Request Forgery in Vasion Print Virtual Appliance Host and Application
CVE-2025-34232

6.9MEDIUM

Key Information:

Vendor

Vasion

Status
Print Virtual Appliance Host
Print Application
Vendor
CVE Published:
29 September 2025

What is CVE-2025-34232?

The Vasion Print system, previously known as PrinterLogic, contains a blind server-side request forgery (SSRF) vulnerability that can be exploited by unauthenticated users. This flaw exists in the /var/www/app/console_release/lexmark/dellCheck.php script. The vulnerability arises from the lack of validation in URL requests generated by the system when a printer is registered. Specifically, the host name of the printer is incorporated into requests without appropriate filtering, allowing an attacker to probe internal services and trigger actions without direct visibility of the data. While the issue has been confirmed to be fixed, the timing of the patch's introduction remains uncertain.

Affected Version(s)

Print Application * < 25.1.1413

Print Virtual Appliance Host * < 25.1.102

References

https://pierrekim.github.io/blog/2025-04-08-vasion-printe...
technical-description
https://help.printerlogic.com/va/Print/Security/Security-...
vendor-advisorypatch
https://help.printerlogic.com/saas/Print/Security/Securit...
vendor-advisorypatch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Barre
JSON
.