CVE-2025-27645

CVE-2025-27645 affects Vasion Print, formerly known as PrinterLogic, in versions before Virtual Appliance Host 22.0.933 Application 20.0.2368. The vulnerability enables insecure extension installation by trusting HTTP permission methods on the server side, tracked as V-2024-005 and mapped to CWE-863 (Incorrect Authorization). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to full system control through malicious extensions.

Mitigation requires upgrading to Virtual Appliance Host 22.0.933 Application 20.0.2368 or later. Relevant advisories include PrinterLogic's security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, Pierre Kim's analysis of 83 Vasion/PrinterLogic vulnerabilities at https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html, and the Full Disclosure mailing list post at http://seclists.org/fulldisclosure/2025/Apr/18.

This vulnerability is part of a larger set of 83 flaws disclosed in Vasion Print/PrinterLogic products.