Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1026 and Application prior to version 20.0.2702 (VA deployments only) expose a set of unauthenticated REST API endpoints that return configuration files and clear‑text passwords. The same endpoints also disclose the Laravel APP_KEY used for cryptographic signing. Because the APP_KEY is required to generate valid signed requests, an attacker who obtains it can craft malicious payloads that are accepted by the application and achieve remote code execution on the appliance. This vulnerability has been identified by the vendor as: V-2024-018 — RCE & Leaks via API.
Unauthenticated REST API endpoints expose configuration files containing passwords in clear-text (CWE-312) without requiring any authentication (CWE-306). Among the disclosed data is the Laravel APP_KEY, which is used for cryptographic signing of requests in the application. An attacker who obtains this key can create malicious, properly signed payloads that the application will recognize as legitimate and execute, leading to remote code execution on the Virtual Appliance device.
An attacker without any authentication can gain full control over the Virtual Appliance device through RCE, as well as obtain all passwords and configuration data stored in the system. Compromise of the print management system can lead to takeover of control over the printing infrastructure of the entire organization and lateral movement in the internal network.
The Virtual Appliance Host must be immediately updated to version 22.0.1026 or later and the Virtual Appliance Application to version 20.0.2702 or later. Until the update is applied, consider restricting network access to the device's REST API endpoints only to trusted hosts using firewall rules. Details are available in the vendor's security bulletins at help.printerlogic.com.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host in versions prior to 22.0.1026 and Virtual Appliance Application in versions prior to 20.0.2702 — only VA (Virtual Appliance) deployments.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XVasion Virtual Appliance Application
APPVasion< 20.0.2702Vasion Virtual Appliance Host
APPVasion< 22.0.1026
Related vulnerabilities
Vasion Print Virtual Appliance — hasła w plikach plaintext dostępnych dla wszystkich
Vasion Print: hardcoded SSH key umożliwiający root access do appliance
Vasion Print: hardcoded klucz prywatny SSL we wszystkich instancjach
Hardcoded klucz prywatny GPG w Vasion Print Virtual Appliance
Vasion Print: hardcoded klucz prywatny CA i hasło w plikach konfiguracyjnych