Xerox patched two serious flaws in FreeFlow Core, path traversal and XXE injection, that allowed unauthenticated remote code execution.
Xerox addressed two serious flaws, respectively tracked as CVE-2025-8355 and CVE-2025-8356, in FreeFlow Core. The vulnerabilities are a path traversal (CVE-2025-8355) and XXE injection (CVE-2025-8356), which allowed an unauthenticated attacker to achieve remote code execution.
FreeFlow Core is a print automation and workflow management platform, it helps print service providers and in-house print operations streamline and automate prepress tasks before jobs go to production printers.
“We discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform.” reads the report published by cybersecurity firm Horizon3, which discovered the two vulnerabilities. “These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances.”
Xerox addressed both issue in FreeFlow Core version 8.0.5, users are recommended to upgrade as soon as possible.
CVE-2025-8355 in Xerox FreeFlow Core’s JMF Client service allows XML External Entity (XXE) injection via improperly sanitized XML, enabling SSRF attacks. During investigation, the experts discovered a more severe issue, CVE-2025-8356: a path traversal vulnerability in file-handling routines lets attackers place a webshell in a publicly accessible location. Combined, these flaws allow remote attackers to execute malicious payloads through JMF commands and leverage web portals for delivery.
“Given the nature of the product, FreeFlow Core installations have a lot of moving parts and require relatively open access and availability, which combined with the fact that print jobs of this kind generally contain pre-public information around marketing campaigns makes this an ideal target for attackers.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Xerox)
