CVE-2025-34221
Published: 29 September 2025
Summary
CVE-2025-34221 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Monitors and controls communications at key internal managed interfaces, directly preventing unrestricted network access to the exposed Docker bridge network and internal containers.
Enforces approved information flow control policies to block unauthorized traffic to internal Docker containers and APIs, addressing the lack of firewall restrictions.
Establishes and enforces secure configuration settings for firewalls to restrict access to the Docker bridge network, mitigating the misconfigured rules enabling authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to internal Docker containers and APIs via exposed bridge network enables exploitation of public-facing/remote services (T1190/T1210), credential theft from internal services (T1552), and configuration manipulation that may impair defenses (T1562).
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 25.2.1518 (VA/SaaS deployments) expose every internal Docker container to the network because firewall rules allow unrestricted traffic to the Docker bridge network. Because no…
more
authentication, ACL or client‑side identifier is required, the attacker can interact with any internal API, bypassing the product’s authentication mechanisms entirely. The result is unauthenticated remote access to internal services, allowing credential theft, configuration manipulation and potential remote code execution. This vulnerability has been identified by the vendor as: V-2025-002 — Authentication Bypass - Docker Instances.
Deeper analysisAI
CVE-2025-34221 is an authentication bypass vulnerability in Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.2.169 and Application versions prior to 25.2.1518, affecting VA/SaaS deployments. The issue arises because firewall rules permit unrestricted traffic to the Docker bridge network, exposing all internal Docker containers to the network. No authentication, access control lists (ACLs), or client-side identifiers are enforced, allowing attackers to interact directly with internal APIs and fully bypass the product's authentication mechanisms. Vendor-designated as V-2025-002 (Authentication Bypass - Docker Instances), it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).
Attackers require only network access with no privileges, authentication, or user interaction. Exploitation grants unauthenticated remote access to internal services, enabling credential theft, configuration manipulation, and potential remote code execution.
Vendor security bulletins for SaaS and VA deployments detail mitigation, recommending upgrades to Virtual Appliance Host version 25.2.169 or later and Application version 25.2.1518 or later to restrict Docker bridge network access and enforce proper firewall rules. Additional advisory information is available in the referenced PrinterLogic security bulletins and independent analyses.
Details
- CWE(s)