Vulnerability Details CVE-2025-34205
Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 22.0.843 and Application prior to 20.0.1923 (VA and SaaS deployments) contains dangerous PHP dead code present in multiple Docker-hosted PHP instances. A script named /var/www/app/resetroot.php (found in several containers) lacks authentication checks and, when executed, performs a SQL update that sets the database administrator username to 'root' and its password hash to the SHA-512 hash of the string 'password'. Separately, commented-out code in /var/www/app/lib/common/oses.php would unserialize session data (unserialize($_SESSION['osdata']))—a pattern that can enable remote code execution if re-enabled or reached with attacker-controlled serialized data. An attacker able to reach the resetroot.php endpoint can trivially reset the MySQL root password and obtain full database control; combined with deserialization issues this can lead to full remote code execution and system compromise.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.5%
CVSS Severity
CVSS v3 Score 9.8
References
- https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
- https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm
- https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-dead-code
- https://www.vulncheck.com/advisories/vasion-print-printerlogic-dangerous-php-dead-code-enables-rce
Products affected by CVE-2025-34205
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1099
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1181
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1285
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1305
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1330
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1380
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1442
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1480
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1510
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1533
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1582
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1682
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1708
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.1766
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.671
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.674
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.693
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.756
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.795
-
cpe:2.3:a:vasion:virtual_appliance_application:20.0.846
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.541
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.543
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.581
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.584
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.593
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.674
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.711
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.730
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.735
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.742
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.750
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.756
-
cpe:2.3:a:vasion:virtual_appliance_host:1.0.757
-
cpe:2.3:a:vasion:virtual_appliance_host:22.0.818