CVE-2025-34208 — HIGH (7.5)

Vulnerability Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Vasion	Virtual Appliance Application	-
Vasion	Virtual Appliance Host	-

Related Weaknesses (CWE)

CWE-759 CWE-327

References

https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htmVendor Advisory
https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htmVendor Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilitiExploitThird Party Advisory
https://www.vulncheck.com/advisories/vasion-print-printerlogic-insecure-passwordThird Party Advisory
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilitiExploitThird Party Advisory

FAQ

What is CVE-2025-34208?

CVE-2025-34208 is a vulnerability with a CVSS score of 7.5 (HIGH). Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is ...

How severe is CVE-2025-34208?

CVE-2025-34208 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-34208?

Check the references section above for vendor advisories and patch information. Affected products include: Vasion Virtual Appliance Application, Vasion Virtual Appliance Host.