Description
Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) contain an undocumented 'printerlogic' user with a hardcoded SSH public key in '~/.ssh/authorized_keys' and a sudoers rule granting the printerlogic_ssh group 'NOPASSWD: ALL'. Possession of the matching private key gives an attacker root access to the appliance.
References (4)
Core 4
Core References
Exploit, Third Party Advisory technical-description
https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-undocumented-hardcoded-ssh-key
Vendor Advisory vendor-advisory
patch
https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm
Vendor Advisory vendor-advisory
patch
https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
Broken Link third-party-advisory
https://www.vulncheck.com/advisories/vasion-print-printerlogic-incorrect-encryption-algorithms-used-to-store-passwords
Scores
CVSS v3
9.8
EPSS
0.0068
EPSS Percentile
47.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-321
Status
published
Products (2)
vasion/virtual_appliance_application
vasion/virtual_appliance_host
Published
Sep 30, 2025
Tracked Since
Feb 18, 2026