CVE-2025-34222
Published: 29 September 2025
Summary
CVE-2025-34222 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly identifies and restricts critical actions like unauthenticated certificate upload, deletion, and download to only those explicitly permitted without authentication, preventing exploitation of exposed admin routes.
Enforces approved access authorizations, blocking unauthenticated access to sensitive admin endpoints for certificate management and mitigating IDOR enumeration.
Implements least privilege to ensure certificate modification and retrieval functions are restricted to authorized users only, countering lack of validation in HPCertificateController.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to admin APIs enables exploitation of public-facing application (T1190), root certificate installation/replacement (T1130), certificate deletion (T1070.004), and stealing client/CA authentication certificates via IDOR (T1649).
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose four admin routes – /admin/hp/cert_upload, /admin/hp/cert_delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid} – without any authentication check. The routes are defined in the…
more
/var/www/app/routes/web.php file inside the printercloud/pi Docker container and are handled by the HPCertificateController class, which performs no user validation. An unauthenticated attacker can therefore upload a new TLS/SSL certificate replacing the trusted root used by the appliance, delete an existing certificate causing immediate loss of trust for services that rely on it, or download any stored CA or client certificate via the service‑clients endpoint which also suffers an IDOR that allows enumeration of all client IDs. This vulnerability has been identified by the vendor as: V-2024-028 — Unauthenticated Admin APIs Used to Modify SSL Certificates.
Deeper analysisAI
CVE-2025-34222 is a high-severity vulnerability (CVSS 9.1) affecting Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 in VA/SaaS deployments. It stems from four admin routes—/admin/hp/cert_upload, /admin/hp/cert_delete, /admin/certs/ca, and /admin/certs/serviceclients/{scid}—being exposed without authentication checks. These routes are defined in the /var/www/app/routes/web.php file within the printercloud/pi Docker container and handled by the HPCertificateController class, which lacks user validation. The issue aligns with CWE-306 (Missing Authentication for Critical Function) and CWE-434 (Unrestricted Upload of File with Dangerous Type), and the vendor designates it as V-2024-028: Unauthenticated Admin APIs Used to Modify SSL Certificates.
An unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no privileges. Successful exploitation allows uploading a new TLS/SSL certificate to replace the trusted root used by the appliance, deleting existing certificates to cause immediate loss of trust for dependent services, or downloading any stored CA or client certificate via the service-clients endpoint. This endpoint also features an Insecure Direct Object Reference (IDOR) flaw, enabling enumeration of all client IDs.
Vendor security bulletins for SaaS and VA deployments detail mitigation, recommending upgrades to Virtual Appliance Host version 22.0.1049 or later and Application version 20.0.2786 or later. Additional analysis from independent advisories, such as those from VulnCheck and researcher Pierre Kim, confirms the issue and emphasizes applying patches promptly to prevent certificate manipulation.
Details
- CWE(s)