CVE-2025-34224 PUBLISHED

Vasion Print (formerly PrinterLogic) Unauthenticated Device Modification

Assigner: VulnCheck
Reserved: 15.04.2025 Published: 29.09.2025 Updated: 15.05.2026

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) expose a set of PHP scripts under the console_release directory without requiring authentication. An unauthenticated remote attacker can invoke these endpoints to re‑configure networked printers, add or delete RFID badge devices, or otherwise modify device settings. This vulnerability has been identified by the vendor as: V-2024-029 — No Authentication to Modify Devices.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Product Status

Vendor Vasion
Product Print Virtual Appliance Host
Versions Default: unaffected
  • affected from 0 to 22.0.1049 (excl.)
Vendor Vasion
Product Print Application
Versions Default: unaffected
  • affected from 0 to 20.0.2786 (excl.)

Credits

  • Pierre Barre finder

References

Problem Types

  • CWE-306 Missing Authentication for Critical Function CWE

Impacts

  • CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
  • CAPEC-551 Modify Existing Service