Cyber Resilience

CVE-2025-34201

HighPublic PoC

Published: 19 September 2025

Published
19 September 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34201 is a high-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation between instances. A compromise of any single container allows direct access to internal services (HTTP,…

more

Redis, MySQL, etc.) on the overlay network. From a compromised container, an attacker can reach and exploit other services, enabling lateral movement, data theft, and system-wide compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1613 Container and Resource Discovery Discovery
Adversaries may attempt to discover containers and other resources that are available within a containers environment.
Why these techniques?

Lack of firewalling/segmentation between Docker containers enables remote system/service discovery (T1018, T1046, T1613), exploitation of internal services (HTTP, Redis, MySQL) for lateral movement (T1210) and privilege escalation (T1068) leading to system-wide compromise and data theft.

Affected Assets

vasion
virtual appliance application
all versions
vasion
virtual appliance host
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-653

Defines isolation boundaries by specifying which external systems may access or process organization data.

addresses: CWE-653

Maintains isolation and compartmentalization by restricting flows between security domains or levels.

addresses: CWE-653

Reviewing the continued need for connections supports isolation and compartmentalization.

addresses: CWE-653

Locating systems away from hazards improves isolation and compartmentalization from external physical or environmental threats.

addresses: CWE-653

The CONOPS must articulate isolation and compartmentalization expectations for security and privacy, making architectural failures in separation of duties or domains harder to overlook.

addresses: CWE-653

Security architectures commonly incorporate isolation and compartmentalization strategies to limit the impact of compromises.

addresses: CWE-653

Organization-wide privacy program leadership ensures proper isolation and compartmentalization of personal data.

addresses: CWE-653

Oversight ensures data-matching activities maintain required isolation between distinct data sets and authorized user communities.

References