CVE-2025-34205
Published: 19 September 2025
Summary
CVE-2025-34205 is a critical-severity Dead Code (CWE-561) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).
Deeper analysis
Vasion Print, formerly known as PrinterLogic, is affected by CVE-2025-34205 in Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923 for both VA and SaaS deployments. The flaw consists of unauthenticated dangerous PHP dead code present across multiple Docker-hosted instances, specifically the script /var/www/app/resetroot.php that performs an unauthenticated SQL update resetting the database administrator account to username root with a SHA-512 hash of the literal string password, plus commented-out session deserialization of attacker-controlled data in /var/www/app/lib/common/oses.php that could enable remote code execution if reached.
An unauthenticated attacker with network access to the resetroot.php endpoint can immediately reset the MySQL root password to obtain full database control; when combined with the deserialization path this grants arbitrary code execution and complete system compromise on the affected containers.
Vendor security bulletins direct customers to upgrade the Virtual Appliance Host to 22.0.843 or newer and the Application to 20.0.1923 or newer; the issue is tracked internally as V-2023-003.
EPSS scores have remained low with a current value of 0.0716 and a peak of only 0.0742, indicating no significant post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30251
Vulnerability details
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks…
more
authentication checks and, when executed, performs a SQL update that sets the database administrator username to 'root' and its password hash to the SHA-512 hash of the string 'password'. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION['osdata']))—a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise. This vulnerability has been identified by the vendor as: V-2023-003 — Dead / Insecure PHP Code.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to resetroot.php enables exploitation of a public-facing application (T1190) to reset MySQL root credentials (T1212) and achieve privilege escalation to database administrator (T1068), potentially leading to RCE via deserialization.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the lack of authentication checks on the resetroot.php script, preventing unauthenticated attackers from resetting the MySQL root password.
Requires timely flaw remediation, such as upgrading to versions that remove the dangerous dead PHP code identified by the vendor.
Enforces least functionality by prohibiting unnecessary scripts and commented-out code like the deserialization in oses.php that could enable RCE.