CVE-2025-34224
Published: 29 September 2025
Summary
CVE-2025-34224 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
Vasion Print, formerly known as PrinterLogic, is affected by CVE-2025-34224 in Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 for VA and SaaS deployments. The flaw stems from unauthenticated exposure of PHP scripts in the console_release directory, which map to missing authentication controls for critical device management functions as classified under CWE-306.
An unauthenticated remote attacker can directly invoke the exposed endpoints over the network to reconfigure networked printers, add or delete RFID badge devices, and alter other device settings, achieving full control over printer infrastructure without any credentials or user interaction.
Vendor security bulletins at the referenced PrinterLogic help pages detail the issue as V-2024-029 and indicate that the listed version updates address the exposure for both on-premises and SaaS deployments; additional technical analysis is available from third-party sources including VulnCheck and independent researcher write-ups.
EPSS scores remained low overall, with a modest peak of 0.0227 recorded in early 2026 before receding to the current value of 0.0094.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31626
Vulnerability details
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints…
more
to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes unauthenticated PHP endpoints in the console_release directory of the Vasion Print Virtual Appliance and SaaS application, enabling remote attackers to reconfigure printers, manage RFID badge devices, and modify settings, which maps to exploitation of a public-facing or remotely accessible web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits and monitors unauthenticated actions such as re-configuring printers or modifying RFID devices via exposed PHP scripts.
Enforces approved access control policies to block unauthorized remote modifications through the console_release directory endpoints.
Restricts public access to sensitive endpoints, preventing unauthenticated attackers from altering networked printers and device settings.