A high-severity vulnerability has been discovered in Xerox FreeFlow Core software, assigned CVE-2025-8355. This flaw could allow a remote, unauthenticated attacker to execute arbitrary code on the affected server by submitting a malicious print job. Successful exploitation could lead to a complete system compromise, enabling attackers to access sensitive documents, disrupt print operations, and move laterally within the network.

The vulnerability is an out-of-bounds write condition within the job ticket parsing engine of the Xerox FreeFlow Core server. An unauthenticated attacker on the network can send a specially crafted job submission request containing a malformed data structure. When the server processes this malicious request, it can trigger a buffer overflow, allowing the attacker to execute arbitrary code with the permissions of the FreeFlow Core service account.

This vulnerability presents a significant risk to the organization, reflected by its High severity rating with a CVSS score of 7.5. The FreeFlow Core server is a central hub for document workflow and often processes sensitive, confidential, or business-critical information, including financial reports, intellectual property, and personal data. Exploitation could lead to severe consequences, including:

• Data Breach: An attacker could exfiltrate all documents processed by the server, leading to a major confidentiality breach.
• Integrity Loss: Malicious actors could alter or delete print jobs and workflows, disrupting business operations.
• System Compromise: Gaining code execution on the server provides a foothold for attackers to pivot and attack other systems within the internal network.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. After patching, it is crucial to monitor systems for any signs of post-remediation exploitation attempts and to review historical access and application logs for indicators of compromise prior to the patch.

Proactive Monitoring:

• Log Analysis: Review FreeFlow Core application logs for repeated errors, crashes, or warnings related to job processing. Scrutinize Windows Event Logs on the server for unusual process creation originating from the FreeFlow Core service (e.g., cmd.exe, powershell.exe).
• Network Monitoring: Monitor for anomalous outbound network connections from the FreeFlow Core server to unexpected IP addresses or ports.
• File System Monitoring: Check for the creation of unexpected files or scripts in directories used by the FreeFlow application.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Network Segmentation: Isolate the FreeFlow Core server from the general corporate network and the internet.
• Access Control: Use a host-based or network firewall to strictly limit access to the server's listening ports, allowing connections only from trusted print sources and administrative workstations.
• Principle of Least Privilege: Ensure the service account running FreeFlow Core has the minimum necessary permissions and does not have administrative rights on the system.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the risk of unauthenticated remote code execution, this vulnerability requires immediate attention. Organizations must prioritize applying the vendor-supplied patch to all affected Xerox FreeFlow Core instances, starting with those that are most exposed or process the most sensitive data. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for future exploitation, and proactive remediation is the most effective defense.