Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 22.0.1049 and Application prior to version 20.0.2786 (VA/SaaS deployments) contain a default admin account and an installation‑time endpoint at `/admin/query/update_database.php` that can be accessed without authentication. An attacker who can reach the installation web interface can POST arbitrary `root_user` and `root_password` values, causing the script to replace the default admin credentials with attacker‑controlled ones. The script also contains hard‑coded SHA‑512 and SHA‑1 hashes of the default password, allowing the attacker to bypass password‑policy validation. As a result, an unauthenticated remote attacker can obtain full administrative control of the system during the initial setup. This vulnerability has been identified by the vendor as: V-2024-022 — Insecure Installation Credentials.
The `/admin/query/update_database.php` endpoint is accessible without any authentication (CWE-306) and accepts HTTP POST requests with `root_user` and `root_password` parameters. An attacker can submit arbitrary values for these parameters, which causes the default administrator credentials to be overwritten with values controlled by the attacker. The script additionally contains hardcoded SHA-512 and SHA-1 hashes of the default password (CWE-798), which allows bypassing the password policy validation mechanism. The attack is possible during the initial system configuration phase when the installation interface is accessible from the network.
An unauthorized remote attacker gains full administrative control over the Vasion Print Virtual Appliance system, which includes access to all data, configurations, managed printers, and users.
The Virtual Appliance Host should be updated to version 22.0.1049 or newer and the Virtual Appliance Application to version 20.0.2786 or newer as soon as possible. Until the patch is deployed, network access to the installation interface should be restricted exclusively to trusted IP addresses, and the installation endpoint must not be publicly accessible. Detailed information is available in the vendor's security bulletins at help.printerlogic.com.
Vasion Print (PrinterLogic) Virtual Appliance Host in versions earlier than 22.0.1049 and Virtual Appliance Application in versions earlier than 20.0.2786 (VA/SaaS deployments).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XVasion Virtual Appliance Application
APPVasion< 20.0.2786Vasion Virtual Appliance Host
APPVasion< 22.0.1049
Related vulnerabilities
Vasion Print Virtual Appliance — hasła w plikach plaintext dostępnych dla wszystkich
Vasion Print: hardcoded SSH key umożliwiający root access do appliance
Vasion Print: hardcoded klucz prywatny SSL we wszystkich instancjach
Hardcoded klucz prywatny GPG w Vasion Print Virtual Appliance
Vasion Print: hardcoded klucz prywatny CA i hasło w plikach konfiguracyjnych