Published:2025/09/17 Last Updated:2026/04/08
JVNVU#90253343
Multiple vulnerabilities in Xerox Freeflow Core
Overview
Xerox Freeflow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities.
Products Affected
- Xerox FreeFlow Core 7.0.0 to 7.0.11
Description
Xerox FreeFlow Core provided by FUJIFILM Business Innovation Corp. contains multiple vulnerabilities listed below.
- XML external entity reference (XXE) (CWE-611)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score 7.5
- CVE-2025-8355
- Path traversal (CWE-22)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 9.3
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score 9.8
- CVE-2025-8356
Impact
- A remote attacker may obtain the information stored in the device (CVE-2025-8355)
- A remote attacker may execute arbitrary code (CVE-2025-8356)
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version to address these vulnerabilities.
- Xerox FreeFlow Core 8.1.0
Applying the following workarounds to mitigate the impacts of these vulnerabilities.
- Use the device within a firewall-protected network
- Restrict connections to a specific port (Port 4004/TCP)
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | Notification about the vulnerability (CVE-2025-8355/8356) in Xerox FreeFlow Core |
| Xerox Corporation | Xerox Security Bulletin XRX25-013 for Freeflow Core |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
FUJIFILM Business Innovation Corp. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
Update History
- 2026/04/08
- Updated information under the section [Solution] and [Vendor Status], fixed typo under the section [Description]