CVE-2025-34199: CWE-295 Improper Certificate Validation in Vasion Print Virtual Appliance Host
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcurl/PHP transport options such that CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are effectively disabled, and environment variables (for example API_*_VERIFYSSL=false) are used to turn off verification for gateway and microservice endpoints. As a result, the client accepts TLS connections without validating server certificates (and, in some cases, uses clear-text HTTP), permitting on-path attackers to perform man-in-the-middle (MitM) attacks. An attacker able to intercept network traffic between the product and printers or microservices can eavesdrop on and modify sensitive data (including print jobs, configuration, and authentication tokens), inject malicious payloads, or disrupt service. This vulnerability has been identified by the vendor as: V-2024-024 — Insecure Communication to Printers & Microservices.
AI Analysis
Technical Summary
Vasion Print Virtual Appliance Host versions before 22.0.1049 and Application versions before 20.0.2786 contain insecure configurations that disable TLS/SSL certificate verification by setting libcurl/PHP options (CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER) to effectively bypass validation. Environment variables like API_*_VERIFYSSL=false further disable verification for gateway and microservice endpoints. This results in the client accepting TLS connections without validating server certificates and sometimes using unencrypted HTTP, enabling on-path attackers to conduct man-in-the-middle attacks. Attackers can intercept, modify, or disrupt communications between the product and printers or microservices, compromising confidentiality and integrity of sensitive data.
Potential Impact
The vulnerability allows an unauthenticated attacker positioned on the network path between the Vasion Print Virtual Appliance Host and its printers or internal microservices to intercept and manipulate sensitive data. This includes print jobs, configuration settings, and authentication tokens. The attacker can perform man-in-the-middle attacks, leading to potential data disclosure, data tampering, injection of malicious payloads, or service disruption. The CVSS 4.0 base score of 9.3 reflects the critical severity and the ease of exploitation without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid deploying affected versions or restrict network access to trusted environments to prevent interception. Monitor vendor communications for updates on patches or official mitigations. Do not rely on disabling certificate verification as it exposes the system to significant risk.
CVE-2025-34199: CWE-295 Improper Certificate Validation in Vasion Print Virtual Appliance Host
Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.1049 and Application versions prior to 20.0.2786 (VA and SaaS deployments) contain insecure defaults and code patterns that disable TLS/SSL certificate verification for communications to printers and internal microservices. In multiple places, the application sets libcurl/PHP transport options such that CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are effectively disabled, and environment variables (for example API_*_VERIFYSSL=false) are used to turn off verification for gateway and microservice endpoints. As a result, the client accepts TLS connections without validating server certificates (and, in some cases, uses clear-text HTTP), permitting on-path attackers to perform man-in-the-middle (MitM) attacks. An attacker able to intercept network traffic between the product and printers or microservices can eavesdrop on and modify sensitive data (including print jobs, configuration, and authentication tokens), inject malicious payloads, or disrupt service. This vulnerability has been identified by the vendor as: V-2024-024 — Insecure Communication to Printers & Microservices.
CVSS v4.0
Score 9.3critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Vasion Print Virtual Appliance Host versions before 22.0.1049 and Application versions before 20.0.2786 contain insecure configurations that disable TLS/SSL certificate verification by setting libcurl/PHP options (CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER) to effectively bypass validation. Environment variables like API_*_VERIFYSSL=false further disable verification for gateway and microservice endpoints. This results in the client accepting TLS connections without validating server certificates and sometimes using unencrypted HTTP, enabling on-path attackers to conduct man-in-the-middle attacks. Attackers can intercept, modify, or disrupt communications between the product and printers or microservices, compromising confidentiality and integrity of sensitive data.
Potential Impact
The vulnerability allows an unauthenticated attacker positioned on the network path between the Vasion Print Virtual Appliance Host and its printers or internal microservices to intercept and manipulate sensitive data. This includes print jobs, configuration settings, and authentication tokens. The attacker can perform man-in-the-middle attacks, leading to potential data disclosure, data tampering, injection of malicious payloads, or service disruption. The CVSS 4.0 base score of 9.3 reflects the critical severity and the ease of exploitation without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid deploying affected versions or restrict network access to trusted environments to prevent interception. Monitor vendor communications for updates on patches or official mitigations. Do not rely on disabling certificate verification as it exposes the system to significant risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.570Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68cda6a24b8a032c4fac76f8
Added to database: 09/19/2025, 18:53:22 UTC
Last enriched: 05/16/2026, 09:19:58 UTC
Last updated: 07/01/2026, 08:51:17 UTC
Views: 243
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.