Published:2025年09月17日 Last Updated:2025年09月17日
JVNVU#90253343
Multiple vulnerabilities in Xerox Freeflow Core
Overview
Xerox Freeflow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities.
Products Affected
- Xerox FreeFlow Core 7.0.0 to 7.0.11
Description
Xerox FreeFlow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities listed below.
- XML external entity reference (XXE) (CWE-611)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
- CVE-2025-8355
- Path traversal (CWE-22)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.7
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2025-8356
Impact
- A remote attacker may obtain the information stored in the device (CVE-2025-8355)
- A remote attacker may execute arbitrary code (CVE-2025-8356)
Solution
Apply the workaround
Applying the following workarounds to mitigate the impacts of these vulnerabilities.
- Use the device within a firewall-protected network
- Restrict connections to a specific port (Port 4004/TCP)
Vendor Status
Vendor
Link
FUJIFILM Business Innovation Corp.
Notification about the vulnerability in Xerox FreeFlow Core
Xerox Corporation
Xerox Security Bulletin XRX25-013 for Freeflow Core
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.