CVE-2025-34212

216.73.216.6

· Published 29/09/2025 21:15 · Modified 30/09/2025 14:15

Labels: CVE-2025-34212 2025-09-29 CVE-2025-34212 CWE-494 [email protected]

Essential information

Published: 29/09/2025 21:15
Modified: 30/09/2025 14:15
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
vasion print / vasion print virtual appliance	`cpe:2.3:a:vasion_print:vasion_print_virtual_appliance::<22.0.843>:::::*`
vasion print / vasion print application	`cpe:2.3:a:vasion_print:vasion_print_application::<20.0.1923>:::::*`