CVE-2025-34191 affects Vasion Print Virtual Appliance Host versions prior to 22.0.843 and Application versions prior to 20.0.1923, specifically in macOS and Linux client deployments. The vulnerability stems from improper link following (CWE-59) in the handling of response files generated by print tasks. The service writes response data into files located under /opt/PrinterInstallerClient/tmp/responses/ using the requested filename without sanitizing or restricting symbolic links. Because the service runs with root privileges, an unprivileged local user can create symbolic links in the responses directory pointing to arbitrary files elsewhere on the filesystem. When the service writes response data, it follows these symbolic links and overwrites or creates files as root. This arbitrary file write capability enables attackers to modify configuration files, replace or inject malicious binaries or drivers, and escalate privileges to root, resulting in full system compromise. The vulnerability requires local access but no authentication or user interaction. The vendor has identified this issue as V-2023-019 and has not yet provided patches at the time of this report. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates local attack vector, low complexity, no authentication, and high impact on confidentiality, integrity, and availability.

For European organizations, this vulnerability poses a significant risk, especially in environments where Vasion Print Virtual Appliance Host is deployed on Linux or macOS systems. Successful exploitation allows local attackers to gain root privileges, leading to complete system compromise. This can result in unauthorized access to sensitive print jobs, alteration or destruction of critical system files, and potential lateral movement within networks. The ability to inject malicious binaries or drivers could facilitate persistent backdoors or malware deployment, undermining organizational security and compliance with data protection regulations such as GDPR. Given that print infrastructure is often integrated into enterprise IT environments, disruption or compromise could affect business continuity and confidentiality of sensitive documents. The lack of known exploits in the wild does not diminish the urgency, as the vulnerability is straightforward to exploit with local access. Organizations with shared workstations, multi-user environments, or insufficient endpoint security controls are particularly vulnerable.

Immediate mitigation should focus on restricting local access to systems running affected Vasion Print versions. Implement strict user permissions and limit the ability to create or modify files in the /opt/PrinterInstallerClient/tmp/responses/ directory. Employ filesystem monitoring to detect creation of suspicious symbolic links in this directory. Until patches are available, consider isolating print servers from general user environments or using network segmentation to limit local user access. Review and harden system configurations to minimize the number of users with local login capabilities. Deploy endpoint detection and response (EDR) solutions to identify anomalous file writes or privilege escalation attempts. Engage with Vasion to obtain and apply security patches as soon as they are released. Additionally, conduct regular audits of print infrastructure and maintain up-to-date backups to enable recovery from potential compromise.