Xerox fixes critical RCE flaw in FreeFlow Core software

Xerox has patched two flaws in its FreeFlow Core software, including a critical path traversal bug that could lead to remote code execution (RCE).

Xerox FreeFlow Core is a print job orchestration software that helps organizations with large-scale printing operations automate their printing workflows.

The two security vulnerabilities in Xerox FreeFlow Core were discovered by Horizon3.ai, after its automated pentesting platform NodeZero originally flagged one of the flaws as an XML external entity (XXE) injection in a product that wasn’t actually present in the tested environment.

While investigating this “false positive” reported by a customer, Horizon3.ai researchers discovered the XXE injection was actually a previously unidentified flaw in Xerox FreeFlow Core.

This vulnerability, now tracked as CVE-2025-8355, has a high CVSS score of 7.5 and affects the FreeFlow Core service that handles job message format (JMF) messages containing commands related to print job management and status reporting.

The XML parsing utility of this service allowed for the injection of arbitrary XXEs pointing to internal URLs. This means an attacker could send a crafted JMF message to achieve server-side request forgery (SSRF) and potentially gain access to sensitive internal systems.

Further investigation revealed an even more severe flaw now tracked as CVE-2025-8356, which has a critical CVSS score of 9.8. This is a path traversal vulnerability in the same JMF handling service affected by CVE-2025-8355.

CVE-2025-8356 found that the code that controlled the upload of files via JMF commands allowed the attacker to control the path where the files were placed. This would enable an attacker to place a webshell in a publicly accessible location on the server and then remotely send and execute commands on the server.  

Xerox patched both of these flaws in FreeFlow Core version 8.0.5, and customers are recommended to upgrade to this version to prevent exploitation of the flaws.