Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-34211

Severity CVSS v4.0:
CRITICAL
Type:
CWE-321 Use of Hard-coded Cryptographic Key
Publication date:
29/09/2025
Last modified:
03/10/2025

Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA and SaaS deployments) contain a private SSL key and matching public certificate stored in cleartext. The key belongs to the hostname `pl‑local.com` and is used by the appliance to terminate TLS connections on ports 80/443. Because the key is hardcoded, any attacker who can gain container-level access can simply read the files and obtain the private key. With the private key, the attacker can decrypt TLS traffic, perform man-in-the-middle attacks, or forge TLS certificates. This enables impersonation of the appliance’s web UI, interception of credentials, and unrestricted access to any services that trust the certificate. The same key is identical across all deployed appliances meaning a single theft compromises the confidentiality of every Vasion Print installation. This vulnerability has been identified by the vendor as: V-2024-025 — Hardcoded SSL Certificate & Private Keys.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H CVSS v4.0 Severity and Metrics:

Base Score: 9.30 CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): High
User Interaction (UI): None
Confidentiality (VC): High
Integrity (VI): High
Availability (VA): Low
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High

Base Score 4.0
9.30
Severity 4.0
CRITICAL
Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x
4.90
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:vasion:virtual_appliance_application:*:*:*:*:*:*:*:* 20.0.2786 (excluding)
cpe:2.3:a:vasion:virtual_appliance_host:*:*:*:*:*:*:*:* 22.0.1049 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools