Cyber Resilience

CVE-2025-34205

CriticalPublic PoC

Published: 19 September 2025

Published
19 September 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0716 91.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34205 is a critical-severity Dead Code (CWE-561) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Deeper analysis

Vasion Print, formerly known as PrinterLogic, is affected by CVE-2025-34205 in Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923 for both VA and SaaS deployments. The flaw consists of unauthenticated dangerous PHP dead code present across multiple Docker-hosted instances, specifically the script /var/www/app/resetroot.php that performs an unauthenticated SQL update resetting the database administrator account to username root with a SHA-512 hash of the literal string password, plus commented-out session deserialization of attacker-controlled data in /var/www/app/lib/common/oses.php that could enable remote code execution if reached.

An unauthenticated attacker with network access to the resetroot.php endpoint can immediately reset the MySQL root password to obtain full database control; when combined with the deserialization path this grants arbitrary code execution and complete system compromise on the affected containers.

Vendor security bulletins direct customers to upgrade the Virtual Appliance Host to 22.0.843 or newer and the Application to 20.0.1923 or newer; the issue is tracked internally as V-2023-003.

EPSS scores have remained low with a current value of 0.0716 and a peak of only 0.0742, indicating no significant post-disclosure exploitation interest.

EU & UK References

Vulnerability details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks…

more

authentication checks and, when executed, performs a SQL update that sets the database administrator username to 'root' and its password hash to the SHA-512 hash of the string 'password'. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION['osdata']))—a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise. This vulnerability has been identified by the vendor as: V-2023-003 — Dead / Insecure PHP Code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Unauthenticated access to resetroot.php enables exploitation of a public-facing application (T1190) to reset MySQL root credentials (T1212) and achieve privilege escalation to database administrator (T1068), potentially leading to RCE via deserialization.

CVEs Like This One

CVE-2025-34224Same product: Vasion Virtual Appliance Application
CVE-2025-34215Same product: Vasion Virtual Appliance Application
CVE-2025-34218Same product: Vasion Virtual Appliance Application
CVE-2025-34223Same product: Vasion Virtual Appliance Application
CVE-2025-34204Same product: Vasion Virtual Appliance Application
CVE-2025-34203Same product: Vasion Virtual Appliance Application
CVE-2025-34216Same product: Vasion Virtual Appliance Application
CVE-2025-34225Same product: Vasion Virtual Appliance Application
CVE-2025-34222Same product: Vasion Virtual Appliance Application
CVE-2025-34228Same product: Vasion Virtual Appliance Application

Affected Assets

vasion
virtual appliance application
≤ 20.0.1923
vasion
virtual appliance host
≤ 22.0.843

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of authentication checks on the resetroot.php script, preventing unauthenticated attackers from resetting the MySQL root password.

prevent

Requires timely flaw remediation, such as upgrading to versions that remove the dangerous dead PHP code identified by the vendor.

prevent

Enforces least functionality by prohibiting unnecessary scripts and commented-out code like the deserialization in oses.php that could enable RCE.

References