CVE-2025-34220
Published: 29 September 2025
Summary
CVE-2025-34220 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Permission Groups Discovery (T1069); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31627
Vulnerability details
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contains a /api-gateway/identity/search-groups endpoint that does not require authentication. Requests to https://<tenant>.printercloud10.com/api-gateway/identity/search-groups and adjustments to the `Host` header allow an unauthenticated…
more
remote attacker to enumerate every group object stored for that tenant. The response includes internal identifiers (group ID, source service ID, Azure AD object IDs, creation timestamps, and tenant IDs). This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to /api-gateway/identity/search-groups endpoint enables enumeration of all tenant group objects, including group IDs, Azure AD object IDs, and other identifiers, directly facilitating Permission Groups Discovery (T1069), particularly domain and cloud groups.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.
Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.
Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.
Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.
Requires authentication gates on critical functions that must remain unavailable to anonymous public users.
Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.
Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.