CVE-2025-27649
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27649 is an Incorrect Access Control vulnerability (CWE-284), identified as PHP V-2023-016, affecting Vasion Print (formerly PrinterLogic) in versions before Virtual Appliance Host 22.0.893 Application 20.0.2140. Published on 2025-03-05, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Remote attackers require no authentication privileges, user interaction, or special conditions beyond network access and low attack complexity to exploit the vulnerability. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full system control on affected appliances.
Vendor advisories, independent researcher disclosures, and related bulletins provide mitigation guidance, including upgrade instructions to Virtual Appliance Host 22.0.893 Application 20.0.2140 or later. Key references include the PrinterLogic (Vasion) security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, Pierre Kim's analysis of 83 Vasion/PrinterLogic vulnerabilities at https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html, and the Full Disclosure mailing list entry at http://seclists.org/fulldisclosure/2025/Apr/18.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an unauthenticated remote incorrect access control flaw (CWE-284) in a public-facing print management application with CVSS 9.8 (AV:N/PR:N), directly enabling initial access and full system compromise through exploitation of the exposed service.