Xerox has issued a security upgrade for critical and high-severity vulnerabilities in its FreeFlow Core product that researchers said could have allowed an attacker to remotely execute code.
Xerox FreeFlow Core is a print orchestration platform that handles prepress automation workflows, and it is often used by organizations that require large print operations, including packaging companies, marketing campaigns, universities and government agencies.
Horizon3.ai, a San Francisco-based pentesting and red team specialist, discovered recently that the software contained two serious flaws: a critical path traversal vulnerability, tracked as CVE-2025-8356, with a CVSS score of 9.8, that could have allowed an attacker to gain remote code execution; and a second vulnerability, tracked as CVE-2025-8355, with a CVSS score of 7.5, that involved improper handling of XML input and could have led to server-side request forgery attacks.
Horizon3.ai researchers said they learned of the issue in June after one of the company’s customers reported unusual network activity.
The customer described what it thought were false positives, as Horizon3.ai’s NodeZero security software was receiving alerts that an XML External Entity was being exploited on one of the customer’s machines. After investigating the incident alongside the customer, Horizon3.ai traced the issue to the two flaws in Xerox’s software.
Xerox’s Aug. 8 security bulletin urged customers to upgrade to FreeFlow Core version 8.0.5., which contains patches for the vulnerabilities.
“As these flaws are trivial to exploit, the recommended mitigation is to upgrade to a patched version as soon as possible,” said Jimi Sebree, security researcher at Horizon3.ai.
Printer vulnerabilities are often considered very serious, because printing components typically require open access to other systems and thus could expose those systems to intrusions, if compromised.
Sebree said customers with systems that cannot easily be patched should consider limiting access to the JMF Client service listening on Port 4004 by default.
A Xerox security official could not immediately be reached for comment.
Source link
