9.2
/ 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are shipped in the application containers (printerlogic/pi, printerlogic/printer-admin-api, and printercloud/pi). The keys are stored in clear text under /var/www/app/config/ as keyfile.ppk.dev and keyfile.saasid.ppk.dev. The application uses these keys as the symmetric secret for AES‑256‑CBC encryption/decryption of the “SaaS Id” (external identifier) through the getEncryptedExternalId() / getDecryptedExternalId() methods. Because the secret is embedded in the deployed image, any attacker who can obtain a copy of the Docker image, read the configuration files, or otherwise enumerate the filesystem can recover the encryption key. This vulnerability has been confirmed to be remediated, but it is unclear as to when the patch was introduced.
Basic Information
ID
CVE-2025-34234
Source
VulnCheck
Published
Sep 29, 2025 at 20:34
Affected Product
Vendor
Vasion
Product
Print Virtual Appliance Host
Version
*
Affected Versions
Vasion Print Virtual Appliance Host *
Vasion Print Application *
Vasion Print Application *
CWE Classification
References
- pierrekim.github.io /blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html
- help.printerlogic.com /va/Print/Security/Security-Bulletins.htm
- help.printerlogic.com /saas/Print/Security/Security-Bulletins.htm
- www.vulncheck.com /advisories/vasion-print-printerlogic-hardcoded-encryption-private-keys