Cyber Resilience

CVE-2025-27658

Critical

Published: 05 March 2025

Published
05 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 12.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27658 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Printerlogic Vasion Print. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-27658 is an authentication bypass vulnerability, tracked as OVE-20230524-0001, affecting Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923. Published on 2025-03-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation enables bypassing authentication controls, potentially leading to high-impact compromise of confidentiality, integrity, and availability on affected systems.

Mitigation details are available in the vendor's security bulletin at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, which addresses the issue in Virtual Appliance Host 22.0.843 and Application 20.0.1923.

EU & UK References

Vulnerability details

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Authentication Bypass OVE-20230524-0001.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing Vasion Print appliance directly enables T1190: Exploit Public-Facing Application for initial unauthenticated network access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27668Same product: Printerlogic Vasion Print
CVE-2025-27664Same product: Printerlogic Vasion Print
CVE-2025-27651Same product: Printerlogic Vasion Print
CVE-2025-27670Same product: Printerlogic Vasion Print
CVE-2025-27641Same product: Printerlogic Vasion Print
CVE-2025-27681Same product: Printerlogic Vasion Print
CVE-2025-27652Same product: Printerlogic Vasion Print
CVE-2025-27672Same product: Printerlogic Vasion Print
CVE-2025-27659Same product: Printerlogic Vasion Print
CVE-2025-27665Same product: Printerlogic Vasion Print

Affected Assets

printerlogic
vasion print
≤ 20.0.1923
printerlogic
virtual appliance
≤ 22.0.843

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly identifies and approves user actions performable without identification or authentication, directly countering CWE-288 authentication bypass using alternate paths or channels.

prevent

AC-3 enforces approved authorizations for logical access, preventing unauthenticated attackers from compromising confidentiality, integrity, and availability via this bypass vulnerability.

prevent

SI-2 mandates identification, reporting, and correction of flaws like this CVE through patching to Virtual Appliance Host 22.0.843 and Application 20.0.1923.

References