CVE-2025-34224
Published: 29 September 2025
Summary
CVE-2025-34224 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prohibits and monitors unauthenticated actions such as re-configuring printers or modifying RFID devices via exposed PHP scripts.
Enforces approved access control policies to block unauthorized remote modifications through the console_release directory endpoints.
Restricts public access to sensitive endpoints, preventing unauthenticated attackers from altering networked printers and device settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes unauthenticated PHP endpoints in the console_release directory of the Vasion Print Virtual Appliance and SaaS application, enabling remote attackers to reconfigure printers, manage RFID badge devices, and modify settings, which maps to exploitation of a public-facing or remotely accessible web application.
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the `console_release` directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints…
more
to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices.
Deeper analysisAI
CVE-2025-34224 is a missing authentication vulnerability (CWE-306) in Vasion Print, formerly known as PrinterLogic, affecting Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 in VA/SaaS deployments. The issue stems from a set of PHP scripts exposed under the `console_release` directory without any authentication requirements. These scripts enable unauthorized modification of networked printers and related devices. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is designated by the vendor as V-2024-029: No Authentication to Modify Devices.
An unauthenticated remote attacker can exploit this vulnerability by directly invoking the exposed endpoints over the network. Successful exploitation allows the attacker to reconfigure networked printers, add or delete RFID badge devices, or otherwise alter device settings, leading to high integrity and availability impacts without affecting confidentiality.
Vendor security bulletins for SaaS and VA deployments, available at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm and https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm, address mitigation through upgrades to Virtual Appliance Host version 22.0.1049 or later and Application version 20.0.2786 or later. Independent advisories from VulnCheck (https://www.vulncheck.com/advisories/vasion-print-printerlogic-unauth-device-modification) and researcher Pierre Kim (https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-lack-of-auth-manage-printers) provide further technical details on the issue.
Details
- CWE(s)