CVE-2025-27662
Published: 05 March 2025
Description
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Security Summary
CVE-2025-27662 affects Vasion Print, formerly known as PrinterLogic, in versions prior to Virtual Appliance Host 22.0.843 Application 20.0.1923. The vulnerability involves insecure password handling in URLs, tracked as OVE-20230524-0005 and mapped to CWE-256 (Plaintext Storage of a Password). It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Attackers with network access can exploit this vulnerability remotely without authentication, privileges, or user interaction. Exploitation enables high-impact compromise, allowing unauthorized access to sensitive credentials and potentially full control over the virtual appliance, including data exfiltration, modification, or disruption of print management services.
Mitigation guidance is available in PrinterLogic's security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, which detail patching to Virtual Appliance Host 22.0.843 Application 20.0.1923 or later to address the password-in-URL exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated vulnerability in a public-facing print management application allowing direct access to credentials via insecure password handling in URLs (CWE-256), directly mapping to exploitation of public-facing apps (T1190) and discovery of unsecured credentials (T1552).