Four years of back and forth between security researchers and Vasion Print
Vasion Print was vulnerable. However, communication regarding the security vulnerabilities was not optimal.
(Image: Sashkin/Shutterstock.com)
A security researcher claims to have reported 83 security vulnerabilities in the printer automation software Vasion Print (formerly PrinterLogic) to the software manufacturer at the end of 2021. According to him, there has been constant contact since then, but whether all security problems have now been solved is hardly transparent.
The German Federal Office for Information Security (BSI) and the National Institute of Standards and Technology (NIST) have now listed some vulnerabilities. An answer to heise security's enquiry to the software manufacturer on the status quo of the security issues is still pending.
In the meantime, those responsible have issued a statement to heise security assuring that all vulnerabilities have been closed. However, this is still difficult to ascertain from the security portal on the Vasion Print website. Communication between those responsible and the security researcher was not optimal, and contact with heise security took a long time and was misleading.
This report has been updated several times, most recently on 9 October 2025.
Background information
In an article published in April of this year, the security researcher lists the timeline and detailed information on the security vulnerabilities. Among other things, it shows that he first contacted the software manufacturer in November 2021. Since then, he says he was in constant contact until spring 2025, and they discussed the security issues. The software vulnerabilities affect Linux, macOS, and Windows clients.
As can be seen from the article, CVE numbers have not yet been assigned for some vulnerabilities. For others, the threat level has not yet been categorised. More detailed information is available for other vulnerabilities.
All security problems solved?
Attackers under Linux or macOS can exploit a vulnerability (CVE-2025-34192 “critical”) and use a cryptography component in Vasion Print Virtual Appliance Host, which has not been supported since 2019, to weaken TLS connections. Versions from 20.0.2140 and 22.0.893 should be equipped against this.
Attackers can gain system rights by successfully exploiting another vulnerability (CVE-2025-34193 “high”). At this point, it remains unclear whether there is already a security update. It is not clear from the security section of the Vasion website for the SaaS version and Virtual Appliance Host whether all vulnerabilities reported by the security researcher have now been closed.
Vasion has now sent us another link. This link provides a clearer overview of the security vulnerabilities that have been closed.
He states that in the course of communication, the software provider did not recognize some vulnerabilities as a threat and forwarded the solutions to the development department as suggestions for improvement and not as security patches.
Videos by heise
Because the patch status of all the issues mentioned by the security researcher is still unclear, admins should ensure that they have installed the latest release. If Vasion responds with a statement, we will update this post.
(des)
