CVE-2025-27674

CVE-2025-27674 is a critical vulnerability in Vasion Print, formerly known as PrinterLogic, affecting versions prior to Virtual Appliance Host 22.0.843 Application 20.0.1923. The issue involves a hardcoded Identity Provider (IdP) key designated V-2023-006, classified under CWE-321 (Use of Hard-coded Cryptographic Key). It received a CVSS v3.1 base score of 9.8, reflecting its severity due to network accessibility, low attack complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability. The vulnerability was published on 2025-03-05.

Remote attackers require no authentication or privileges to exploit this flaw over the network with minimal complexity and no user interaction. Successful exploitation enables high-level compromise, including unauthorized access to sensitive data (C:H), modification of systems or data (I:H), and disruption of services (A:H), potentially leading to full control over affected PrinterLogic virtual appliances.

Mitigation details and security bulletins are documented in vendor advisories, with additional analysis available at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html, and http://seclists.org/fulldisclosure/2025/Apr/18. Practitioners should upgrade to Virtual Appliance Host 22.0.843 Application 20.0.1923 or later as indicated in these resources.