Security researchers have disclosed critical vulnerabilities in Xerox FreeFlow Core that enable unauthenticated remote attackers to execute arbitrary code on vulnerable systems.
The proof-of-concept exploits are now publicly available, raising immediate concerns for organizations using the popular print orchestration platform.
Critical Vulnerabilities Discovered
Cybersecurity firm Horizon3.ai discovered two severe vulnerabilities in Xerox FreeFlow Core: an XML External Entity (XXE) injection flaw tracked as CVE-2025-8355 and a path traversal vulnerability designated CVE-2025-8356.
| Attribute | CVE-2025-8355 | CVE-2025-8356 |
| Severity | Critical | Critical |
| Impact | Remote Code Execution, SSRF | Remote Code Execution, File Upload |
| Affected Product | Xerox FreeFlow Core | Xerox FreeFlow Core |
| Vulnerability Type | XML External Entity (XXE) Injection | Path Traversal |
| Patched Version | 8.0.5 | 8.0.5 |
Both vulnerabilities allow attackers to achieve remote code execution without any authentication requirements, making them particularly dangerous for internet-facing installations.
The discovery originated from an unusual customer support request where Horizon3.ai’s NodeZero platform detected XXE exploitation callbacks from a host that supposedly didn’t contain the vulnerable software.
This anomaly prompted deeper investigation that ultimately uncovered the widespread vulnerability in FreeFlow Core installations.
Technical Analysis and Impact
FreeFlow Core serves as a comprehensive print orchestration platform primarily deployed in commercial print shops, packaging providers, universities, and government agencies handling large-scale printing operations.
The platform’s complex architecture includes multiple services, with the JMF Client service on port 4004 being the primary attack vector.
The XXE injection vulnerability exploits improper XML parsing in the JMF (Job Message Format) message handling system.
Attackers can submit malicious XML requests to perform server-side request forgery attacks and access sensitive system information.
More critically, the path traversal flaw in the file processing mechanism allows attackers to upload webshells to publicly accessible directories, providing immediate remote access to compromised systems.
The combination of these vulnerabilities creates a particularly attractive target for cybercriminals, especially considering that print workflows often contain pre-release marketing materials and sensitive corporate information.
The platform’s requirement for relatively open network access further amplifies the risk exposure.
Xerox has addressed both vulnerabilities in FreeFlow Core version 8.0.5, released on August 8, 2025, following a responsible disclosure process initiated by Horizon3.ai in June 2025.
The company worked collaboratively with the researchers over two months to develop and test patches before public release.
Organizations running FreeFlow Core are strongly urged to upgrade immediately to version 8.0.5.
Given the public availability of proof-of-concept exploits and the severity of the vulnerabilities, delaying patching could result in complete system compromise.
The disclosure timeline demonstrates industry best practices, with initial contact established in June, vulnerability confirmation and patch development throughout July, and coordinated public disclosure in August.
This measured approach allowed Xerox adequate time to develop comprehensive fixes while ensuring the security community receives timely notification of the risks.
Security teams should prioritize scanning for vulnerable FreeFlow Core installations and implementing emergency patches where immediate upgrades aren’t feasible.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
