Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.5%top 60%

CVE-2025-34199: CWE-295 Improper Certificate Validation in Vasion Print Virtual Appliance Host

0
Critical
VulnerabilityCVE-2025-34199cvecve-2025-34199cwe-295
Published: 09/19/2025 (09/19/2025, 18:48:05 UTC)
Source: CVE Database V5
Vendor/Project: Vasion
Product: Print Virtual Appliance Host

Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcurl/PHP transport options such that CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are effectively disabled, and environment variables (for example API_*_VERIFYSSL=false) are used to turn off verification for gateway and microservice endpoints. As a result, the client accepts TLS connections without validating server certificates (and, in some cases, uses clear-text HTTP), permitting on-path attackers to perform man-in-the-middle (MitM) attacks. An attacker able to intercept network traffic between the product and printers or microservices can eavesdrop on and modify sensitive data (including print jobs, configuration, and authentication tokens), inject malicious payloads, or disrupt service. This vulnerability has been identified by the vendor as: V-2024-024 — Insecure Communication to Printers & Microservices.

CVSS v4.0

Score 9.3critical

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected software

Affected versions
=0

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 05/16/2026, 09:19:58 UTC

Technical Analysis

Vasion Print Virtual Appliance Host versions before 22.0.1049 and Application versions before 20.0.2786 contain insecure configurations that disable TLS/SSL certificate verification by setting libcurl/PHP options (CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER) to effectively bypass validation. Environment variables like API_*_VERIFYSSL=false further disable verification for gateway and microservice endpoints. This results in the client accepting TLS connections without validating server certificates and sometimes using unencrypted HTTP, enabling on-path attackers to conduct man-in-the-middle attacks. Attackers can intercept, modify, or disrupt communications between the product and printers or microservices, compromising confidentiality and integrity of sensitive data.

Potential Impact

The vulnerability allows an unauthenticated attacker positioned on the network path between the Vasion Print Virtual Appliance Host and its printers or internal microservices to intercept and manipulate sensitive data. This includes print jobs, configuration settings, and authentication tokens. The attacker can perform man-in-the-middle attacks, leading to potential data disclosure, data tampering, injection of malicious payloads, or service disruption. The CVSS 4.0 base score of 9.3 reflects the critical severity and the ease of exploitation without privileges or user interaction.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid deploying affected versions or restrict network access to trusted environments to prevent interception. Monitor vendor communications for updates on patches or official mitigations. Do not rely on disabling certificate verification as it exposes the system to significant risk.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2025-04-15T19:15:22.570Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68cda6a24b8a032c4fac76f8

Added to database: 09/19/2025, 18:53:22 UTC

Last enriched: 05/16/2026, 09:19:58 UTC

Last updated: 07/01/2026, 08:51:17 UTC

Views: 243

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses