CVE-2025-27645
Published: 05 March 2025
Summary
CVE-2025-27645 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Printerlogic Vasion Print. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-27645 affects Vasion Print, formerly known as PrinterLogic, in versions before Virtual Appliance Host 22.0.933 Application 20.0.2368. The vulnerability enables insecure extension installation by trusting HTTP permission methods on the server side, tracked as V-2024-005 and mapped to CWE-863 (Incorrect Authorization). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to full system control through malicious extensions.
Mitigation requires upgrading to Virtual Appliance Host 22.0.933 Application 20.0.2368 or later. Relevant advisories include PrinterLogic's security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, Pierre Kim's analysis of 83 Vasion/PrinterLogic vulnerabilities at https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html, and the Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2025/Apr/18.
This vulnerability is part of a larger set of 83 flaws disclosed in Vasion Print/PrinterLogic products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6073
Vulnerability details
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.933 Application 20.0.2368 allows Insecure Extension Installation by Trusting HTTP Permission Methods on the Server Side V-2024-005.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing app (T1190) directly enables installation of malicious server extensions for code execution/persistence (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated extension installation due to incorrect server-side HTTP permission handling.
AC-14 explicitly defines and limits actions permissible without identification or authentication, mitigating the vulnerability's allowance of insecure extension installs via unauthenticated HTTP methods.
SI-2 requires timely identification, reporting, and correction of flaws like this incorrect authorization vulnerability, aligning with the vendor's upgrade mitigation.