Xerox FreeFlow Vulnerabilities Enable SSRF and RCE Attacks: A Comprehensive Overview

An urgent security update has been released for Xerox FreeFlow Core software, addressing two critical vulnerabilities that could enable attackers to execute remote code and perform server-side request forgery attacks. The vulnerabilities, identified as CVE-2025-8355 and CVE-2025-8356, affect FreeFlow Core version 8.0.4 and necessitate immediate patching to prevent potential exploitation. Security researchers at Horizon3.ai discovered these flaws and collaborated with Xerox to develop appropriate mitigations. The first vulnerability, CVE-2025-8355, involves an XML External Entity (XXE) processing flaw that leads to Server-Side Request Forgery (SSRF) attacks, allowing attackers to manipulate the XML parser to make unauthorized requests to internal systems. The second vulnerability, CVE-2025-8356, represents a path traversal weakness that can escalate to Remote Code Execution (RCE), enabling attackers to access files and directories outside the intended application scope.

Xerox issued a Security Bulletin on August 8, 2025, highlighting the critical nature of these vulnerabilities and urging immediate remediation. Both vulnerabilities have been rated at an “IMPORTANT” severity level, indicating significant potential impact on affected systems. Organisations running FreeFlow Core in their print infrastructure face substantial risk if these vulnerabilities remain unpatched, as successful exploitation could compromise entire network segments. Jimi Sebree from Horizon3.ai worked with Xerox’s security team through responsible disclosure practices to ensure that proper fixes were developed before the public announcement. Xerox has released FreeFlow Core version 8.0.5 as the definitive solution, which includes comprehensive patches for both CVE-2025-8355 and CVE-2025-8356. Organisations should prioritise immediate upgrades to safeguard their systems. 

Categories: Security Vulnerabilities, Software Updates, Risk Mitigation 

Tags: Xerox, FreeFlow Core, Vulnerabilities, CVE-2025-8355, CVE-2025-8356, SSRF, RCE, Patch, Security Bulletin, Mitigations