CVE-2025-34212

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm	Vendor Advisory
https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm	Vendor Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline	Third Party Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vasion:virtual_appliance_application::::::::
	cpe:2.3:a:vasion:virtual_appliance_host::::::::

History

09 Oct 2025, 18:03

Type	Values Removed	Values Added
References	~~() https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm -~~	() https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm - Vendor Advisory
References	~~() https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm -~~	() https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm - Vendor Advisory
References	~~() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system -~~	() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline -~~	() https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:vasion:virtual_appliance_application:::::::: cpe:2.3:a:vasion:virtual_appliance_host::::::::
First Time		Vasion virtual Appliance Application Vasion virtual Appliance Host Vasion

30 Sep 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system -~~	() https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system -

29 Sep 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-29 21:15

Updated : 2025-10-09 18:03

NVD link : CVE-2025-34212

Mitre link : CVE-2025-34212

CVE.ORG link : CVE-2025-34212

JSON object : View

Products Affected

vasion

virtual_appliance_host
virtual_appliance_application

CWE

CWE-494

Download of Code Without Integrity Check

CWE-732

Incorrect Permission Assignment for Critical Resource

9.8 /10