How to fix CVE-2025-34208?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is PHP affected by CVE-2025-34208?

CVE-2025-34208 presents notable security risk, a broken cryptography vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2025-34208

EUVD-2025-32644 HIGH

2025-10-02 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 19:12 vuln.today

EUVD ID Assigned

Mar 13, 2026 - 19:12 euvd

EUVD-2025-32644

PoC Detected

Oct 09, 2025 - 19:17 vuln.today

Public exploit code

CVE Published

Oct 02, 2025 - 17:16 nvd

HIGH 7.5

Description

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's `hash()` function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.

Analysis

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a fall-back to unsalted SHA-1. The hashing is performed via PHP's hash() function in multiple files (server_write_requests_users.php, update_database.php, legacy/Login.php, tests/Unit/Api/IdpControllerTest.php). No per-user salt is used and the fast hash algorithms are unsuitable for password storage. An attacker who obtains the password database can recover cleartext passwords via offline dictionary or rainbow table attacks. The vulnerable code also contains logic that migrates legacy SHA-1 hashes to SHA-512 on login, further exposing users still on the old hash. This vulnerability was partially resolved, but still present within the legacy authentication platform.

Technical Context

This vulnerability is classified as Use of a Broken or Risky Cryptographic Algorithm (CWE-327).

Affected Products

Affected products: Vasion Virtual Appliance Application -, Vasion Virtual Appliance Host -

Remediation

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

CVE-2025-34208 vulnerability details – vuln.today

Back

CVE-2025-34208

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-34208

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code