CVE-2025-34223
Published: 29 September 2025
Summary
CVE-2025-34223 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly prohibits permitted actions without identification or authentication for critical functions like the unauthenticated endpoint that allows overwriting admin credentials.
IA-5 mandates changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly addressing hard-coded default credentials and bypassable password policies.
AC-2 requires proper management of accounts including disabling defaults and monitoring usage, mitigating risks from persistent default admin accounts during and post-initial setup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to installation endpoint enables overwriting default admin credentials, facilitating exploitation of public-facing application (T1190) and leveraging default accounts (T1078.001) for full administrative control.
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can…
more
reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials.
Deeper analysisAI
CVE-2025-34223 is a critical vulnerability in Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786, affecting VA/SaaS deployments. It stems from a default admin account paired with an unauthenticated installation-time endpoint at /admin/query/update_database.php. This endpoint allows attackers to POST arbitrary root_user and root_password values, overwriting the default admin credentials with attacker-controlled ones. The script includes hard-coded SHA-512 and SHA-1 hashes of the default password, enabling bypass of password-policy validation. The issue is tracked by the vendor as V-2024-022 — Insecure Installation Credentials, with associated CWEs-306 (Missing Authentication for Critical Function) and CWE-798 (Use of Hard-coded Credentials), and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker who can reach the installation web interface can exploit this vulnerability during the initial setup phase to gain full administrative control of the system. No privileges, user interaction, or special conditions are required beyond network access to the endpoint.
Vendor security bulletins for SaaS and VA deployments detail the issue and are available at PrinterLogic's help sites. Additional analysis appears in advisories from VulnCheck and researcher Pierre Kim's blog, which covers this as part of 83 vulnerabilities in Vasion/PrinterLogic products.
This vulnerability was publicly disclosed on 2025-09-29 alongside researcher findings on broader insecure credential handling in the platform. No evidence of real-world exploitation is noted in available details.
Details
- CWE(s)