CVE-2025-27651
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27651 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting Vasion Print (formerly known as PrinterLogic) Virtual Appliance Host versions prior to 22.0.862 with Application 20.0.2014. This flaw, also referenced as Elatec V-2023-014, carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.
The vulnerability enables exploitation by unauthenticated remote attackers over the network with no user interaction required. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially compromising the affected appliance by forging requests to internal or external resources.
Mitigation details are outlined in vendor security bulletins and related disclosures available at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html, and http://seclists.org/fulldisclosure/2025/Apr/18. Security practitioners should upgrade to Virtual Appliance Host 22.0.862 or later with Application 20.0.2014 to address this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The described unauthenticated remote SSRF vulnerability in a public-facing virtual appliance directly enables the Exploit Public-Facing Application technique (T1190), allowing attackers to forge requests to internal/external resources and achieve full compromise with high CIA impact.