CVE-2025-27680

CVE-2025-27680 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting Vasion Print, formerly known as PrinterLogic, specifically versions of the Virtual Appliance Host before 1.0.750 Application 20.0.1442. The issue, tracked as V-2024-004, involves insecure firmware images due to insufficient verification of data authenticity (CWE-345), allowing flawed checks that fail to properly validate firmware integrity or origin.

Remote attackers require no privileges or user interaction and can exploit the vulnerability over the network with low attack complexity. Successful exploitation enables high-impact confidentiality and integrity violations, such as injecting or deploying malicious firmware images that bypass authenticity checks, potentially leading to unauthorized code execution or system compromise within the affected appliance.

Mitigation details are available in the vendor's security bulletins at https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm, along with analysis from independent researcher Pierre Kim's report on 83 vulnerabilities in Vasion/PrinterLogic at https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html and a Full Disclosure mailing list entry at http://seclists.org/fulldisclosure/2025/Apr/18; upgrading to Virtual Appliance Host 1.0.750 Application 20.0.1442 or later addresses the issue.