CVE-2025-34221
Published: 29 September 2025
Summary
CVE-2025-34221 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Deeper analysis
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518, in both VA and SaaS deployments, contain an authentication bypass vulnerability tracked as V-2025-002. The root cause is overly permissive firewall rules that expose all internal Docker containers to the network via the Docker bridge interface, with no authentication, ACLs, or client identifiers required to reach the containers.
An unauthenticated remote attacker can therefore reach any internal API exposed inside the containers, completely bypassing the application's normal authentication controls. Successful exploitation grants direct access to internal services, enabling credential theft, configuration changes, and potential remote code execution on the affected host.
Vendor security bulletins direct customers to upgrade the Virtual Appliance Host to 25.2.169 or later and the Application to 25.2.1518 or later. The referenced advisories and independent analyses confirm that these updates restrict traffic to the Docker bridge network and restore proper access controls.
EPSS scores have remained low, with a current value of 0.0304 and a peak of 0.0365.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31624
Vulnerability details
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network. Because no…
more
authentication, ACL or client‑side identifier is required, the attacker can interact with any internal API, bypassing the product’s authentication mechanisms entirely. The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution. This vulnerability has been identified by the vendor as: V-2025-002 — Authentication Bypass - Docker Instances.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to internal Docker containers and APIs via exposed bridge network enables exploitation of public-facing/remote services (T1190/T1210), credential theft from internal services (T1552), and configuration manipulation that may impair defenses (T1562).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Monitors and controls communications at key internal managed interfaces, directly preventing unrestricted network access to the exposed Docker bridge network and internal containers.
Enforces approved information flow control policies to block unauthorized traffic to internal Docker containers and APIs, addressing the lack of firewall restrictions.
Establishes and enforces secure configuration settings for firewalls to restrict access to the Docker bridge network, mitigating the misconfigured rules enabling authentication bypass.