Urgent Xerox FreeFlow Core Patch: Critical Flaws (CVSS 9.8) Allow RCE and SSRF

Xerox has released a security update for FreeFlow Core, addressing two high-impact vulnerabilities that could allow attackers to perform Server-Side Request Forgery (SSRF) or gain Remote Code Execution (RCE) on affected systems. Both flaws affect version 8.0.4 and have been resolved in version 8.0.5, now available from Xerox.com.

CVE-2025-8355 – XML External Entity Injection Leading to SSRF (CVSS 7.5)

The first flaw arises from improper handling of XML input in FreeFlow Core 8.0.4. According to Xerox, “an attacker can craft malicious XML containing references to internal URLs,” allowing them to trick the system into sending requests to internal resources.

This type of Server-Side Request Forgery (SSRF) could be used to:

• Probe internal network services.
• Access sensitive data from otherwise protected systems.
• Bypass firewall restrictions.

CVE-2025-8356 – Path Traversal Leading to RCE (CVSS 9.8)

The second, and far more severe, vulnerability stems from a Path Traversal flaw in the same version. Exploiting this weakness, “an attacker can… access unauthorized files on the server,” potentially escalating the attack to Remote Code Execution.

With RCE, a threat actor could:

• Execute arbitrary commands on the underlying server.
• Install malware or backdoors.
• Pivot deeper into the network to target additional systems.

Given its critical CVSS score of 9.8, this vulnerability poses a serious risk to organizations that have not yet applied the patch.

Xerox urges all customers to upgrade to FreeFlow Core version 8.0.5 immediately to mitigate these threats. The update is available through the official Xerox website.

Related Posts:

• Xerox Patches Dozens of Vulnerabilities in FreeFlow Print Server with April 2025 Security Update
• Xerox Versalink Printers Vulnerable to Pass-Back Attacks, Credentials at Risk
• Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
• Microsoft released the PowerShell Core that support MacOS/Linux OS