CVE-2025-34212
Published: 29 September 2025
Summary
CVE-2025-34212 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked in the top 28.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-14 (Signed Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SR-11 requires verification of component authenticity prior to use, directly addressing the unverified third-party image pulls and unsigned VirtualBox Extension Pack downloads that enable supply chain compromise.
CM-14 mandates digital signatures for software and firmware components before installation or execution, comprehensively mitigating the lack of signature validation in the build pipeline.
AC-6 enforces least privilege, preventing remote code execution as root by restricting excessive NOPASSWD sudo privileges granted to the Jenkins account for mount/umount operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CI/CD weaknesses (unverified third-party images, HTTP downloads without integrity checks, Jenkins NOPASSWD sudo) enable compromise of software dependencies/development tools (T1195.001) and software supply chain (T1195.002) via supply chain attacks, MITM, malicious firmware injection, and RCE on the build host.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation,…
more
and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.
Deeper analysisAI
CVE-2025-34212 is a high-severity supply chain vulnerability (CVSS 9.8) affecting Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923 in VA/SaaS deployments. It stems from multiple CI/CD weaknesses, including pulling an unverified third-party image during builds, downloading the VirtualBox Extension Pack over plain HTTP without signature validation, and granting the Jenkins account NOPASSWD sudo privileges for mount and umount operations (mapped to CWE-494 and CWE-732). These flaws, identified by the vendor as V-2023-007 Supply Chain Attack, enable compromise of the build pipeline.
The vulnerability is exploitable remotely by unauthenticated attackers (AV:N/AC:L/PR:N/UI:N/S:U) via supply chain attacks or man-in-the-middle interception. Attackers can tamper with the third-party image or Extension Pack to inject malicious firmware, leading to remote code execution as root on the CI host and potential downstream compromise of affected Virtual Appliance instances.
Vendor security bulletins at help.printerlogic.com detail mitigations, recommending upgrades to Virtual Appliance Host 22.0.843 or later and Application 20.0.1923 or later. Additional analysis from researchers, including Pierre Kim's blog and VulnCheck advisory, confirms the issue and emphasizes securing build pipelines against these risks.
Details
- CWE(s)