Two severe vulnerabilities had been patched lately by Xerox in its FreeFlow Core print orchestration platform.
In accordance with pentesting firm Horizon3, whose researchers found the issues, FreeFlow Core is affected by an XXE injection flaw (CVE-2025-8355) and a path traversal subject (CVE-2025-8356).
The researchers found that the vulnerabilities might enable an unauthenticated, distant attacker to execute arbitrary code on affected FreeFlow Core cases.
The potential affect has been demonstrated with an exploit that positioned a webshell on the focused system.
FreeFlow Core is designed for prepress automation workflows and it’s sometimes utilized by organizations with large-scale printing operations, together with universities, packaging and advertising and marketing corporations, and even authorities companies, in response to Horizon3.
“Given the character of the product, FreeFlow Core installations have quite a lot of shifting elements and require comparatively open entry and availability, which mixed with the truth that print jobs of this type usually comprise pre-public info round advertising and marketing campaigns makes this a super goal for attackers,” the safety agency warned.
The vulnerabilities had been reported to Xerox in June they usually had been patched on August 8, when the seller revealed an advisory to tell prospects concerning the availability of patches. Fixes are included in FreeFlow Core model 8.0.5.
Earlier this yr, researchers disclosed vulnerabilities in Xerox VersaLink multifunction printers that might enable attackers to retrieve authentication credentials, which might then be used for lateral motion.Commercial. Scroll to proceed studying.
Associated: New Vulnerabilities Expose Tens of millions of Brother Printers to Hacking
Associated: Printer Firm Procolored Served Contaminated Software program for Months
Associated: Important Vulnerability Present in Canon Printer Drivers
Associated: Fortinet, Ivanti Launch August 2025 Safety Patches
