CVE-2025-34194
📋 TL;DR
This vulnerability allows local unprivileged users to escalate privileges to SYSTEM level by exploiting insecure temporary file handling in Vasion Print (formerly PrinterLogic). The software creates files as SYSTEM in user-controlled temporary directories, enabling attackers to write arbitrary files and gain full system control. Affected systems include Vasion Print Virtual Appliance Host versions before 25.1.102 and Application versions before 25.1.1413 on Windows.
💻 Affected Systems
- Vasion Print (formerly PrinterLogic) Virtual Appliance Host
- Vasion Print (formerly PrinterLogic) Application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, modify system files, steal credentials, and maintain persistent access.
Likely Case
Local privilege escalation leading to administrative control of the affected system, enabling configuration changes, binary injection, and lateral movement within the network.
If Mitigated
Limited impact if proper access controls restrict local user accounts and temporary directory permissions are hardened.
🎯 Exploit Status
Exploitation requires local user access but is straightforward once local access is obtained. The vulnerability involves symbolic link attacks in user-controlled temporary directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Virtual Appliance Host: 25.1.102 or later; Application: 25.1.1413 or later
Vendor Advisory: https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
Restart Required: Yes
Instructions:
1. Identify affected Vasion Print installations. 2. Update Virtual Appliance Host to version 25.1.102 or later. 3. Update Application to version 25.1.1413 or later for Windows deployments. 4. Restart affected services and systems. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict temporary directory permissions
windowsModify permissions on C:\Users\%USER%\AppData\Local\Temp\ to prevent symbolic link creation by non-administrative users
icacls "C:\Users\%USERNAME%\AppData\Local\Temp" /deny %USERNAME%:(OI)(CI)(DE,DC,WD,AD,WDAC,WO)
Disable PrinterInstallerClient service
windowsTemporarily disable the vulnerable PrinterInstallerClient component if not required
sc stop PrinterInstallerClient
sc config PrinterInstallerClient start= disabled
🧯 If You Can't Patch
- Implement strict access controls to limit local user accounts on affected systems
- Monitor for suspicious file creation activities in user temporary directories and for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Vasion Print version: Virtual Appliance Host versions below 25.1.102 or Application versions below 25.1.1413 on Windows are vulnerableCheck Version:
Check Vasion Print administration console or application properties for version informationVerify Fix Applied:
Verify installed version is Virtual Appliance Host 25.1.102+ or Application 25.1.1413+ and test for privilege escalation attempts📡 Detection & Monitoring
Log Indicators:
- Unusual file creation in SYSTEM context within user temp directories
- Privilege escalation attempts from local user to SYSTEM
- Symbolic link creation in C:\Users\*\AppData\Local\Temp\
Network Indicators:
- No specific network indicators as this is local exploitation
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%PrinterInstallerClient%' AND SubjectUserName!=SYSTEM AND TokenElevationType=%%1938🔗 References
- https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm
- https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm
- https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#win-lpe-02
- https://www.vulncheck.com/advisories/vasion-print-printerlogic-lpe-via-insecure-temporary-file-handling
