Cyber Posture

CVE-2025-34198

CriticalPublic PoC

Published: 19 September 2025

Published
19 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34198 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match
prevent

SC-12 requires establishment and management of cryptographic keys per organizational requirements, directly preventing shared hardcoded SSH host private keys by mandating unique generation and secure handling for each appliance.

IA-5 Authenticator Management good match
prevent

IA-5 mandates management of authenticators including SSH host private keys, ensuring they are uniquely generated, protected from disclosure, and not hardcoded or shared across installations.

SI-2 Flaw Remediation good match
preventrecover

SI-2 requires timely flaw remediation through vendor upgrades (e.g., to versions 22.0.951+ and 20.0.2368+), which regenerate unique SSH keys and eliminate the hardcoded credential vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
T1563.001 SSH Hijacking Lateral Movement
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment.
attack.mitre.org →
Why these techniques?

Hardcoded shared SSH host private keys enable man-in-the-middle attacks (T1557) and SSH session hijacking via server impersonation (T1563.001).

NVD Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application prior to 20.0.2368 (VA and SaaS deployments) contain shared, hardcoded SSH host private keys in the appliance image. The same private host keys (RSA, ECDSA, and ED25519)…

more

are present across installations, rather than being uniquely generated per appliance. An attacker who obtains these private keys (for example from one compromised appliance image or another installation) can impersonate the appliance, decrypt or intercept SSH connections to appliances that use the same keys, and perform man-in-the-middle or impersonation attacks against administrative SSH sessions. This vulnerability has been identified by the vendor as: V-2024-011 — Hardcoded SSH Host Key.

Deeper analysisAI

CVE-2025-34198 affects Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.951 and Application versions prior to 20.0.2368, impacting both Virtual Appliance (VA) and SaaS deployments. The vulnerability involves shared, hardcoded SSH host private keys (RSA, ECDSA, and ED25519) embedded in the appliance image, which are identical across all installations instead of being uniquely generated per instance. This violates CWE-798 (Use of Hard-coded Credentials) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to high confidentiality, integrity, and availability impacts.

Any attacker who obtains these private keys—for instance, by compromising a single appliance image or another installation—can exploit the flaw remotely with no privileges or user interaction required. Successful exploitation enables impersonation of the appliance, decryption or interception of SSH connections to any affected instance using the same keys, and man-in-the-middle (MITM) or impersonation attacks against administrative SSH sessions.

Vendor security bulletins detail mitigation steps, available at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm and https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm, which identify the issue as V-2024-011 (Hardcoded SSH Host Key). Upgrading to Virtual Appliance Host version 22.0.951 or later and Application version 20.0.2368 or later regenerates unique keys, resolving the vulnerability. Additional analysis is provided in advisories from VulnCheck (https://www.vulncheck.com/advisories/vasion-print-printerlogic-shared-hardcoded-ssh-host-private-keys-in-appliance-image) and researcher Pierre Kim (https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-hardcoded-ssh-keys).

Details

CWE(s)
CWE-798

Affected Products

vasion
virtual appliance application
≤ 20.0.2368
vasion
virtual appliance host
≤ 22.0.951

CVEs Like This One

CVE-2025-34223Same product: Vasion Virtual Appliance Application
CVE-2025-34207Same product: Vasion Virtual Appliance Application
CVE-2025-34216Same product: Vasion Virtual Appliance Application
CVE-2025-34224Same product: Vasion Virtual Appliance Application
CVE-2025-34202Same product: Vasion Virtual Appliance Application
CVE-2025-34228Same product: Vasion Virtual Appliance Application
CVE-2025-34222Same product: Vasion Virtual Appliance Application
CVE-2025-34204Same product: Vasion Virtual Appliance Application
CVE-2025-34205Same product: Vasion Virtual Appliance Application
CVE-2025-34221Same product: Vasion Virtual Appliance Application

References