Overview
This report covers the CVE-2025-34189 vulnerability found in Vasion Print’s Virtual Appliance Host and Application versions. The flaw lies in the local inter-process communication (IPC) mechanism that can be exploited by a local attacker to hijack user sessions and perform unauthorized actions. This poses a significant threat to system integrity and data confidentiality.
Vulnerability Summary
CVE ID: CVE-2025-34189
Severity: High (7.8 CVSS Score)
Attack Vector: Local
Privileges Required: Low
User Interaction: None
Impact: Unauthorized actions in user sessions, potential system compromise, and data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
Vasion Print Virtual Appliance Host | Versions prior to 1.0.735
Vasion Print Application (macOS/Linux client deployments) | Versions prior to 20.0.1330
How the Exploit Works
The vulnerability stems from the misuse of IPC mechanism. IPC request and response files are stored inside /opt/PrinterInstallerClient/tmp, which have world-readable and world-writable permissions. Therefore, any local user can craft malicious request files, which when processed by privileged daemons, can lead to unauthorized actions being performed in other user sessions.
Conceptual Example Code
Below is a conceptual shell command an attacker might use to exploit this vulnerability:
echo "{malicious_command: '...'}" > /opt/PrinterInstallerClient/tmp/request-fileThis command creates a request file with a malicious command in the location that is processed by privileged daemons, leading to the potential execution of unauthorized actions.
