Cyber Resilience

CVE-2025-34221

CriticalPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0304 87.0th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34221 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518, in both VA and SaaS deployments, contain an authentication bypass vulnerability tracked as V-2025-002. The root cause is overly permissive firewall rules that expose all internal Docker containers to the network via the Docker bridge interface, with no authentication, ACLs, or client identifiers required to reach the containers.

An unauthenticated remote attacker can therefore reach any internal API exposed inside the containers, completely bypassing the application's normal authentication controls. Successful exploitation grants direct access to internal services, enabling credential theft, configuration changes, and potential remote code execution on the affected host.

Vendor security bulletins direct customers to upgrade the Virtual Appliance Host to 25.2.169 or later and the Application to 25.2.1518 or later. The referenced advisories and independent analyses confirm that these updates restrict traffic to the Docker bridge network and restore proper access controls.

EPSS scores have remained low, with a current value of 0.0304 and a peak of 0.0365.

EU & UK References

Vulnerability details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network. Because no…

more

authentication, ACL or client‑side identifier is required, the attacker can interact with any internal API, bypassing the product’s authentication mechanisms entirely. The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution. This vulnerability has been identified by the vendor as: V-2025-002 — Authentication Bypass - Docker Instances.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Unauthenticated access to internal Docker containers and APIs via exposed bridge network enables exploitation of public-facing/remote services (T1190/T1210), credential theft from internal services (T1552), and configuration manipulation that may impair defenses (T1562).

CVEs Like This One

CVE-2025-34224Same product: Vasion Virtual Appliance Application
CVE-2025-34218Same product: Vasion Virtual Appliance Application
CVE-2025-34215Same product: Vasion Virtual Appliance Application
CVE-2025-34223Same product: Vasion Virtual Appliance Application
CVE-2025-34216Same product: Vasion Virtual Appliance Application
CVE-2025-34225Same product: Vasion Virtual Appliance Application
CVE-2025-34222Same product: Vasion Virtual Appliance Application
CVE-2025-34231Same product: Vasion Virtual Appliance Application
CVE-2025-34228Same product: Vasion Virtual Appliance Application
CVE-2025-34203Same product: Vasion Virtual Appliance Application

Affected Assets

vasion
virtual appliance application
≤ 25.2.1518
vasion
virtual appliance host
≤ 25.2.169

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Monitors and controls communications at key internal managed interfaces, directly preventing unrestricted network access to the exposed Docker bridge network and internal containers.

prevent

Enforces approved information flow control policies to block unauthorized traffic to internal Docker containers and APIs, addressing the lack of firewall restrictions.

prevent

Establishes and enforces secure configuration settings for firewalls to restrict access to the Docker bridge network, mitigating the misconfigured rules enabling authentication bypass.

References