CVE-2025-34218 is a critical security vulnerability affecting Vasion Print Virtual Appliance Host versions prior to 22.0.1049 and the application prior to 20.0.2786 in VA/SaaS deployments. The root cause is the exposure of internal Docker containers through the gateway Docker instance, which publishes a /meta endpoint listing all microservice containers and their version information. These containers are directly accessible over HTTP/HTTPS without any authentication, access control lists (ACLs), or rate limiting. This design flaw effectively exposes the internal service mesh to unauthenticated users on both local area networks and the Internet. An attacker can enumerate all internal services, interact with their APIs without credentials, and potentially exploit these services to disclose sensitive information, escalate privileges within containers, or cause denial-of-service conditions that impact the entire appliance. The vulnerability stems from the absence of authentication and network-level restrictions on the API gateway’s proxy to internal Docker containers, turning what should be an internal-only interface into a public attack surface. The CVSS 4.0 base score is 10.0, reflecting the vulnerability’s critical impact on confidentiality, integrity, and availability, with no required privileges or user interaction, and full network accessibility. Although no known exploits are currently reported in the wild, the vulnerability represents a severe risk due to the ease of exploitation and broad impact. The vendor has identified this issue as V-2024-030 and it affects all versions prior to the specified fixed releases. Organizations deploying Vasion Print Virtual Appliance Hosts should urgently apply updates and implement network-level protections to mitigate this risk.

For European organizations, this vulnerability poses a critical risk to the confidentiality, integrity, and availability of printing infrastructure and potentially connected internal networks. Exploitation can lead to unauthorized disclosure of sensitive information about internal microservices and their versions, enabling further targeted attacks. Privilege escalation within containers could allow attackers to gain control over printing services or pivot to other internal systems. Denial-of-service attacks could disrupt printing operations, impacting business continuity, especially in sectors reliant on print workflows such as legal, healthcare, and government. Given the appliance’s exposure to both LAN and Internet, organizations with remote or hybrid work environments face increased risk. The critical CVSS score underscores the potential for widespread impact if exploited. Additionally, the lack of authentication and ACLs means that even low-skilled attackers can exploit this vulnerability, increasing the threat landscape. The exposure of internal service mesh details also aids attackers in reconnaissance and crafting sophisticated attacks. Overall, the vulnerability threatens operational stability and data security for European enterprises using this product.

1. Immediately upgrade Vasion Print Virtual Appliance Host to version 22.0.1049 or later and the application to 20.0.2786 or later, where the vulnerability is patched. 2. Implement strict network segmentation to isolate the appliance from untrusted networks, ensuring that the internal Docker containers and the API gateway are not directly reachable from the Internet or untrusted LAN segments. 3. Deploy firewall rules or access control lists to restrict access to the gateway’s /meta endpoint and internal Docker container interfaces to authorized management hosts only. 4. Monitor network traffic to and from the appliance for unusual or unauthorized access attempts, focusing on HTTP/HTTPS requests targeting the /meta endpoint or internal microservice APIs. 5. If patching is delayed, consider deploying a reverse proxy or web application firewall (WAF) in front of the appliance to enforce authentication and rate limiting on exposed endpoints. 6. Conduct regular vulnerability scans and penetration tests to verify that no internal services are exposed without proper authentication. 7. Review and harden container configurations and microservice APIs to minimize the impact of potential privilege escalation. 8. Maintain up-to-date incident response plans to quickly address any exploitation attempts.