Cyber Posture

CVE-2025-34207

CriticalPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
03 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34207 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 32.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Private Keys (T1552.004) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match
prevent

Mandates secure configuration settings for SSH clients in Docker instances, preventing insecure options like StrictHostKeyChecking=no and ForwardAgent=yes.

SC-23 Session Authenticity good match
prevent

Ensures authenticity of SSH communications sessions by requiring host key verification, directly countering UserKnownHostsFile=/dev/null and no strict checking.

AC-17 Remote Access good match
prevent

Manages and protects remote access mechanisms like SSH, prohibiting unauthorized forwarding of credentials and enforcing cryptographic protections for sessions.

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
attack.mitre.org →
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
attack.mitre.org →
T1563.001 SSH Hijacking Lateral Movement
Adversaries may hijack a legitimate user's SSH session to move laterally within an environment.
attack.mitre.org →
Why these techniques?

Insecure SSH client config (no host key checking, agent forwarding) in Docker containers enables stealing forwarded private SSH keys (T1552.004), facilitating SSH-based lateral movement (T1021.004) and session hijacking via impersonated SSH servers (T1563.001).

NVD Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to 22.0.1049 and Application prior to 20.0.2786 (VA and SaaS deployments) configure the SSH client within Docker instances with the following options: `UserKnownHostsFile=/dev/null`, `StrictHostKeyChecking=no`, and `ForwardAgent yes`. These settings disable verification of…

more

the remote host’s SSH key and automatically forward the developer’s SSH‑agent to any host that matches the configured wildcard patterns. As a result, an attacker who can reach a single compromised container can cause the container to connect to a malicious SSH server, capture the forwarded private keys, and use those keys for unrestricted lateral movement across the environment. This vulnerability has been identified by the vendor as: V-2024-027 — Insecure Secure Shell (SSH) Configuration.

Deeper analysisAI

CVE-2025-34207 is an insecure SSH client configuration vulnerability affecting Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786, in both Virtual Appliance (VA) and SaaS deployments. The issue arises within Docker instances, where the SSH client is configured with UserKnownHostsFile=/dev/null, StrictHostKeyChecking=no, and ForwardAgent=yes. These settings disable verification of the remote host's SSH key and automatically forward the developer's SSH-agent to any host matching configured wildcard patterns, as identified by the vendor under V-2024-027.

An attacker with network access to a single compromised container can exploit this configuration remotely with low complexity, no privileges, and no user interaction required. By inducing the container to connect to a malicious SSH server, the attacker can capture the forwarded private keys, enabling unrestricted lateral movement across the environment. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function) and CWE-522 (Insufficiently Protected Credentials).

Vendor security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm and https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm outline mitigation, recommending upgrades to Virtual Appliance Host 22.0.1049 or later and Application 20.0.2786 or later. Additional details on the insecure SSH configuration are provided in analyses from VulnCheck (https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-ssh-client-config) and Pierre Kim's blog (https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-insecure-ssh-config).

Details

CWE(s)
CWE-306CWE-522

Affected Products

vasion
virtual appliance application
≤ 20.0.2786
vasion
virtual appliance host
≤ 22.0.1049

CVEs Like This One

CVE-2025-34221Same product: Vasion Virtual Appliance Application
CVE-2025-34224Same product: Vasion Virtual Appliance Application
CVE-2025-34218Same product: Vasion Virtual Appliance Application
CVE-2025-34216Same product: Vasion Virtual Appliance Application
CVE-2025-34215Same product: Vasion Virtual Appliance Application
CVE-2025-34223Same product: Vasion Virtual Appliance Application
CVE-2025-34228Same product: Vasion Virtual Appliance Application
CVE-2025-34222Same product: Vasion Virtual Appliance Application
CVE-2025-34225Same product: Vasion Virtual Appliance Application
CVE-2025-34231Same product: Vasion Virtual Appliance Application

References