Cyber Resilience

CVE-2025-34223

CriticalPublic PoC

Published: 29 September 2025

Published
29 September 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0206 84.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34223 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).

Deeper analysis

Vasion Print, formerly known as PrinterLogic, Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 in VA and SaaS deployments contain a default administrative account together with an unauthenticated installation endpoint at /admin/query/update_database.php. The endpoint accepts unauthenticated POST requests that supply arbitrary root_user and root_password values, while hard-coded SHA-512 and SHA-1 hashes of the original default password allow the supplied values to bypass password-policy checks. The issue is tracked by the vendor as V-2024-022 and is also described by CWE-306 and CWE-798.

An unauthenticated remote attacker who can reach the installation web interface can therefore replace the built-in administrator credentials and obtain full administrative control of the appliance or SaaS instance during its initial setup phase. Because the attack requires no prior authentication and succeeds over the network with minimal complexity, it yields complete system compromise before any legitimate administrator has configured the product.

Vendor security bulletins hosted at help.printerlogic.com direct customers to upgrade the Virtual Appliance Host to 22.0.1049 or later and the Application component to 20.0.2786 or later; the same pages list the vulnerability under the internal identifier V-2024-022 and advise applying the updates to close the installation-time exposure.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0384, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can…

more

reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated access to installation endpoint enables overwriting default admin credentials, facilitating exploitation of public-facing application (T1190) and leveraging default accounts (T1078.001) for full administrative control.

CVEs Like This One

CVE-2025-34224Same product: Vasion Virtual Appliance Application
CVE-2025-34215Same product: Vasion Virtual Appliance Application
CVE-2025-34221Same product: Vasion Virtual Appliance Application
CVE-2025-34216Same product: Vasion Virtual Appliance Application
CVE-2025-34218Same product: Vasion Virtual Appliance Application
CVE-2025-34225Same product: Vasion Virtual Appliance Application
CVE-2025-34222Same product: Vasion Virtual Appliance Application
CVE-2025-34231Same product: Vasion Virtual Appliance Application
CVE-2025-34228Same product: Vasion Virtual Appliance Application
CVE-2025-34198Same product: Vasion Virtual Appliance Application

Affected Assets

vasion
virtual appliance application
≤ 20.0.2786
vasion
virtual appliance host
≤ 22.0.1049

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly prohibits permitted actions without identification or authentication for critical functions like the unauthenticated endpoint that allows overwriting admin credentials.

prevent

IA-5 mandates changing default authenticators prior to first use and ensuring sufficient strength of mechanism, directly addressing hard-coded default credentials and bypassable password policies.

prevent

AC-2 requires proper management of accounts including disabling defaults and monitoring usage, mitigating risks from persistent default admin accounts during and post-initial setup.

References