August 18, 2025 By Pierluigi Paganini
Xerox patched two serious flaws in FreeFlow Core, path traversal and XXE injection, that allowed unauthenticated remote code execution.
Xerox addressed two serious flaws, respectively tracked as CVE-2025-8355 and CVE-2025-8356, in FreeFlow Core. The vulnerabilities are a path traversal (CVE-2025-8355) and XXE injection (CVE-2025-8356), which allowed an unauthenticated attacker to achieve remote code execution.
FreeFlow Core is a print automation and workflow management platform, it helps print service providers and in-house print operations streamline and automate prepress tasks before jobs go to production printers.
“We discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform.” reads the report published by cybersecurity firm Horizon3, which discovered the two vulnerabilities. “These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances.”
Xerox addressed both issue in FreeFlow Core version 8.0.5, users are recommended to upgrade as soon as possible.
