Published:2025/09/17  Last Updated:2025/09/17

JVNVU#90253343
Multiple vulnerabilities in Xerox Freeflow Core

Overview

Xerox Freeflow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities.

Products Affected

  • Xerox FreeFlow Core 7.0.0 to 7.0.11

Description

Xerox FreeFlow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities listed below.

  • XML external entity reference (XXE) (CWE-611)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
    • CVE-2025-8355
  • Path traversal (CWE-22)
    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.7
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
    • CVE-2025-8356

Impact

  • A remote attacker may obtain the information stored in the device (CVE-2025-8355)
  • A remote attacker may execute arbitrary code (CVE-2025-8356)

Solution

Apply the workaround
Applying the following workarounds to mitigate the impacts of these vulnerabilities.

  • Use the device within a firewall-protected network
  • Restrict connections to a specific port (Port 4004/TCP)
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
FUJIFILM Business Innovation Corp. Notification about the vulnerability in Xerox FreeFlow Core
Xerox Corporation Xerox Security Bulletin XRX25-013 for Freeflow Core

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia