CVE-2025-34212

Published Sep 29, 2025

Last updated 5 months ago

CVSS high 8.7
Supply chain

Overview

Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.
Source
disclosure@vulncheck.com
NVD status
Analyzed
Products
virtual_appliance_application, virtual_appliance_host

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

disclosure@vulncheck.com
CWE-494

Social media

Hype score
Not currently trending

  1. I received 43 additional CVEs for Vasion Print vulns: CVE-2025-34208,CVE-2025-34210,CVE-2025-34196, CVE-2025-34207,CVE-2025-34209,CVE-2025-34211,CVE-2025-34212,CVE-2025-34215,CVE-2025-34216,CVE-2025-34217,CVE-2025-34218,CVE-2025-34220,CVE-2025-34221... https://t.co/hwPa77l11j

    @PierreKimSec

    11 Nov 2025

    348 Impressions

    2 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-34212 Supply Chain Attack in Vasion Print Virtual Appliance CI/CD Pipeline Vulnerability https://t.co/YjStivZmXj

    @VulmonFeeds

    30 Sept 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.CVE-2025-40551
  2. SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.CVE-2025-40553
  3. SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.CVE-2025-40552
  4. SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.CVE-2025-40554
  5. SolarWinds Web Help Desk Security Control Bypass VulnerabilityCVE-2025-40536

References

Sources include official advisories and independent security research.