CVE-2025-34208

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm	Vendor Advisory
https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm	Vendor Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-password-hashing	Third Party Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vasion:virtual_appliance_application:-:::::::*
	cpe:2.3:a:vasion:virtual_appliance_host:-:::::::*

History

09 Oct 2025, 19:17

Type	Values Removed	Values Added
References	~~() https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm -~~	() https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm - Vendor Advisory
References	~~() https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm -~~	() https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm - Vendor Advisory
References	~~() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password -~~	() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-password-hashing -~~	() https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-password-hashing - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:vasion:virtual_appliance_application:-:::::::* cpe:2.3:a:vasion:virtual_appliance_host:-:::::::*
First Time		Vasion virtual Appliance Application Vasion virtual Appliance Host Vasion

02 Oct 2025, 18:15

Type	Values Removed	Values Added
References	~~() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password -~~	() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-incorrect-encryption-algorithms-password -

02 Oct 2025, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-02 17:16

Updated : 2025-10-09 19:17

NVD link : CVE-2025-34208

Mitre link : CVE-2025-34208

CVE.ORG link : CVE-2025-34208

JSON object : View

Products Affected

vasion

virtual_appliance_host
virtual_appliance_application

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-759

Use of a One-Way Hash without a Salt

7.5 /10