CVE-2025-34216
Published: 29 September 2025
Summary
CVE-2025-34216 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits permitted actions without identification or authentication, mitigating unauthenticated access to API endpoints that expose sensitive configurations, clear-text passwords, and the APP_KEY enabling RCE.
Requires timely flaw remediation through patching to vulnerable appliance versions, eliminating the exposed unauthenticated endpoints as recommended by the vendor.
Filters sensitive information from system outputs, preventing disclosure of configuration files, clear-text passwords, and APP_KEY via API responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated REST API endpoints leak clear-text passwords and configuration files (T1552.001) and the Laravel APP_KEY, enabling attackers to craft valid signed requests for remote code execution on the appliance (T1190).
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose…
more
the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API.
Deeper analysisAI
CVE-2025-34216 affects Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1026 and Application versions prior to 20.0.2702, specifically in VA deployments. The vulnerability involves unauthenticated REST API endpoints that expose configuration files, clear-text passwords, and the Laravel APP_KEY used for cryptographic signing. This issue, identified by the vendor as V-2024-018 (RCE & Leaks via API), is rated at CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 306 (Missing Authentication for Critical Function) and 312 (Cleartext Storage of Sensitive Information).
Any unauthenticated remote attacker can exploit these endpoints over the network with low complexity and no privileges required. By retrieving the APP_KEY, the attacker can forge valid signed requests to the application, enabling remote code execution on the appliance. Additionally, the exposure of clear-text passwords provides immediate access to credentials for further compromise.
Vendor security bulletins at help.printerlogic.com detail mitigation through upgrading to Virtual Appliance Host version 22.0.1026 or later and Application version 20.0.2702 or later. Independent advisories from VulnCheck and researcher Pierre Kim confirm the issue and emphasize patching as the primary remediation, with no workarounds specified for affected versions.
Details
- CWE(s)