CVE-2025-27668
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-27668 is a high-severity vulnerability in Vasion Print, formerly known as PrinterLogic, specifically affecting versions of the Virtual Appliance Host before 22.0.843 with Application before 20.0.1923. The issue enables arbitrary content inclusion via iframe, tracked as OVE-20230524-0012 and mapped to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). It carries a CVSS v3.1 base score of 9.8, reflecting critical risk due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction or privileges, achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope. By injecting arbitrary iframes, attackers could include malicious external content, potentially leading to unauthorized data access, modification, or disruption of the print management appliance's functionality.
Mitigation details are outlined in the vendor's security bulletin at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, which practitioners should consult for patching instructions and workarounds applicable to affected Virtual Appliance Host and Application versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated vulnerability in a public-facing web application (Vasion Print Virtual Appliance) allowing arbitrary iframe/content inclusion from untrusted sources, directly enabling exploitation of public-facing applications.