CVE-2025-34228
Published: 29 September 2025
Summary
CVE-2025-34228 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Vasion Virtual Appliance Application. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the unauthenticated access to the vulnerable PHP script by requiring identification, authorization, and monitoring of permitted actions without identification or authentication.
Requires validation of user-controlled hostname and URL inputs to the script, preventing SSRF by blocking requests to arbitrary internal resources.
Monitors and controls communications at external boundaries to restrict internet access to the exposed endpoint and limit outbound SSRF requests to internal networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing endpoint enables exploitation of public application (T1190), internal network service discovery via forced requests to internal hosts (T1046), use of server as internal proxy (T1090.001), and potential data exfiltration from internal resources (T1041).
NVD Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain a server-side request forgery (SSRF) vulnerability. The `/var/www/app/console_release/lexmark/update.php` script is reachable from the internet without any authentication. The PHP script…
more
builds URLs from user‑controlled values and then invokes either 'curl_exec()` or `file_get_contents()` without proper validation. Because the endpoint is unauthenticated, any remote attacker can supply a hostname and cause the server to issue requests to internal resources. This enables internal network reconnaissance, potential pivoting, or data exfiltration. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Deeper analysisAI
CVE-2025-34228 is a server-side request forgery (SSRF) vulnerability affecting Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior to 25.1.1413 in VA/SaaS deployments. The vulnerable component is the `/var/www/app/console_release/lexmark/update.php` PHP script, which is exposed to the internet without authentication. This script constructs URLs from user-controlled input and executes them using `curl_exec()` or `file_get_contents()` without proper validation, allowing arbitrary request issuance by the server.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity, as indicated by its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and associated CWEs-306 (Missing Authentication for Critical Function) and CWE-918 (SSRF). By supplying a malicious hostname, attackers can force the server to connect to internal resources, enabling network reconnaissance, lateral pivoting to other systems, or exfiltration of sensitive data from the internal network.
Vendor security bulletins for PrinterLogic SaaS and VA deployments, along with advisories from VulnCheck and researcher Pierre Kim, confirm the vulnerability has been remediated in later versions, though the exact patch introduction date remains unclear. Security practitioners should upgrade to Vasion Print Virtual Appliance Host 25.1.102 or later and Application 25.1.1413 or later, and verify exposure of the affected endpoint.
Details
- CWE(s)