{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-34212","assignerOrgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","state":"PUBLISHED","assignerShortName":"VulnCheck","dateReserved":"2025-04-15T19:15:22.571Z","datePublished":"2025-09-29T20:36:51.280Z","dateUpdated":"2026-02-26T17:47:49.008Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Provision script va‑build‑node.sh","Jenkins user sudo configuration","Build system Docker‑Compose (/opt/docker-compose.yaml)"],"product":"Print Virtual Appliance Host","vendor":"Vasion","versions":[{"lessThan":"22.0.843","status":"affected","version":"*","versionType":"semver"}]},{"defaultStatus":"unaffected","modules":["Provision script va‑build‑node.sh","Jenkins user sudo configuration","Build system Docker‑Compose (/opt/docker-compose.yaml)"],"product":"Print Application","vendor":"Vasion","versions":[{"lessThan":"20.0.1923","status":"affected","version":"*","versionType":"semver"}]}],"cpeApplicability":[{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:*","versionEndExcluding":"22.0.843"}]}]},{"operator":"OR","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:*","versionEndExcluding":"20.0.1923"}]}]}],"credits":[{"lang":"en","type":"finder","value":"Pierre Barre"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843&nbsp;and Application prior to version 20.0.1923&nbsp;(VA/SaaS deployments) possess&nbsp;CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack.<br><br>"}],"value":"Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.843 and Application prior to version 20.0.1923 (VA/SaaS deployments) possess CI/CD weaknesses: the build pulls an unverified third-party image, downloads the VirtualBox Extension Pack over plain HTTP without signature validation, and grants the jenkins account NOPASSWD for mount/umount. Together these allow supply chain or man-in-the-middle compromise of the build pipeline, injection of malicious firmware, and remote code execution as root on the CI host. This vulnerability has been identified by the vendor as: V-2023-007 — Supply Chain Attack."}],"impacts":[{"capecId":"CAPEC-186","descriptions":[{"lang":"en","value":"CAPEC-186 Malicious Software Update"}]},{"capecId":"CAPEC-678","descriptions":[{"lang":"en","value":"CAPEC-678 System Build Data Maliciously Altered"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-494","description":"CWE-494 Download of Code Without Integrity Check","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-732","description":"CWE-732 Incorrect Permission Assignment for Critical Resource","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"83251b91-4cc7-4094-a5c7-464a1b83ea10","shortName":"VulnCheck","dateUpdated":"2025-11-17T23:56:35.033Z"},"references":[{"tags":["technical-description"],"url":"https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system"},{"tags":["vendor-advisory","patch"],"url":"https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"},{"tags":["vendor-advisory","patch"],"url":"https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"},{"tags":["third-party-advisory"],"url":"https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-build-pipeline"}],"source":{"discovery":"INTERNAL"},"title":"Vasion Print (formerly PrinterLogic) Insecure Build Pipeline","x_generator":{"engine":"vulncheck"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-34212","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-10-01T03:55:55.840177Z"}}}],"references":[{"url":"https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-supply-chain-build-system","tags":["exploit"]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:47:49.008Z"}}]}}