CVE-2025-34212 - Vulnerability Details

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Vasion	Virtual Appliance Application Virtual Appliance Host

Configuration 1 [-]

OR	cpe:2.3:a:vasion:virtual_appliance_application::::::::
	cpe:2.3:a:vasion:virtual_appliance_host::::::::

No data.

References

Link	Providers
https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system
https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline

History

Thu, 09 Oct 2025 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:vasion:virtual_appliance_application:::::::: cpe:2.3:a:vasion:virtual_appliance_host::::::::
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 30 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Sep 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vasion Vasion virtual Appliance Application Vasion virtual Appliance Host
Vendors & Products		Vasion Vasion virtual Appliance Application Vasion virtual Appliance Host

Mon, 29 Sep 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.
Title		Vasion Print (formerly PrinterLogic) Insecure Build Pipeline
Weaknesses		CWE-494 CWE-732
References		https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-09-29T20:36:51.280Z

Updated: 2025-10-01T03:55:55.352Z

Reserved: 2025-04-15T19:15:22.571Z

Link: CVE-2025-34212

Vulnrichment

Updated: 2025-09-30T13:33:43.583Z

NVD

Status : Analyzed

Published: 2025-09-29T21:15:34.967

Modified: 2025-10-09T18:03:58.000

Link: CVE-2025-34212

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object