What vulnerabilities were discovered in Xerox FreeFlow Core?

Two vulnerabilities were discovered in Xerox FreeFlow Core: CVE-2025-8356, a Path Traversal vulnerability leading to Remote Code Execution with a CVSS score of 9.8, and CVE-2025-8355, an XML External Entity (XXE) processing flaw leading to Server-Side Request Forgery with a CVSS score of 7.5.

What is CVE-2025-8356 and how does it work?

CVE-2025-8356 is a Path Traversal vulnerability with a CVSS score of 9.8 that leads to Remote Code Execution. It enables attackers to access files and directories outside the intended application scope by manipulating file paths using special character sequences like '../'. This allows attackers to traverse the filesystem, access sensitive system files and configuration data, and potentially upload malicious files to arbitrary locations on the server.

What is CVE-2025-8355 and what can attackers do with it?

CVE-2025-8355 is an XML External Entity (XXE) processing flaw with a CVSS score of 7.5 that leads to Server-Side Request Forgery (SSRF). The vulnerability occurs when the application processes XML input containing references to external entities without proper validation. Attackers can exploit this by crafting malicious XML documents that force the server to make unintended requests to internal or external resources, which can be used for reconnaissance and initial access.

Which version of FreeFlow Core is affected by these vulnerabilities?

FreeFlow Core version 8.0.4 is affected by both CVE-2025-8356 and CVE-2025-8355 vulnerabilities.

How can organizations fix these Xerox FreeFlow Core vulnerabilities?

Organizations should upgrade to FreeFlow Core version 8.0.5, which Xerox has released to patch both vulnerabilities. This is the primary recommended solution to address CVE-2025-8356 and CVE-2025-8355.

What are the CVSS severity scores for these FreeFlow Core vulnerabilities?

CVE-2025-8356 (Path Traversal leading to RCE) has a CVSS score of 9.8, indicating critical severity. CVE-2025-8355 (XXE leading to SSRF) has a CVSS score of 7.5, indicating high severity.

Advisory

Security Vulnerabilities in Xerox FreeFlow Core enable Server-Side Request Forgery and remote code execution

Q: What should organizations do if they cannot immediately update FreeFlow Core?

Organizations unable to update should implement two key mitigation strategies: restrict network access to FreeFlow Core instances to authorized users only, and filter out dangerous requests using web application firewall systems.

Q: What type of attacks can be performed using these vulnerabilities together?

The XXE vulnerability (CVE-2025-8355) can be used for reconnaissance and initial access, while the path traversal flaw (CVE-2025-8356) provides the ability for code execution and system compromise. Together, they enable attackers to perform server-side request forgery attacks and execute remote code on affected systems.

published: Aug. 11, 2025

Take action: If you're running Xerox FreeFlow Core version 8.0.4, make sure it's isolated and accessible only from trusted network. Then plan an update to version 8.0.5, or filter all requests using web application firewall.

Learn More

Xerox Corporation has released a security update to patch two vulnerabilities in its FreeFlow Core document processing software that could enable attackers to perform server-side request forgery attacks and execute remote code on affected systems.

Xerox FreeFlow Core is an enterprise document processing and workflow management software that automates print production, document routing, and digital publishing tasks in corporate environments.

Vulnerabilities summary

CVE-2025-8356 (CVSS score 9.8): Path Traversal vulnerability leading to Remote Code Execution (RCE) The vulnerability enables attackers to access files and directories outside the intended application scope by manipulating file paths using special character sequences like "../". It vulnerability allows attackers to traverse the filesystem and access sensitive system files, configuration data, and potentially upload malicious files to arbitrary locations on the server.
CVE-2025-8355 (CVSS score 7.5): XML External Entity (XXE) processing flaw leading to Server-Side Request Forgery (SSRF). The vulnerability occurs when the application processes XML input containing references to external entities without proper validation or sanitization controls. Attackers can exploit this weakness by crafting malicious XML documents that manipulate entity declarations, forcing the server to make unintended requests to internal or external resources on behalf of the attacker.

The flaw affects FreeFlow Core version 8.0.4. The XXE vulnerability can be used for reconnaissance and initial access, while the path traversal flaw provides the ability for code execution and system compromise.

Xerox has released FreeFlow Core version 8.0.5 to patch both vulnerabilities. Organizations are advised to upgrade their FreeFlow Core.

Organizations unable to update should restrict network access to FreeFlow Core instances to authorized users only and filter out dangerous requests using web application firewall systems.

Security Vulnerabilities in Xerox FreeFlow Core enable Server-Side Request Forgery and remote code execution

Read More
Privilege escalation flaw reported in JumpCloud Remote Assist …
Apache Struts 2 fixes critical vulnerablity, upgrade ASAP
Hackers are exploiting the public PoC to hack …
Multiple security flaws reported in Versa Concerto platform, …
Openfire servers still vulnerable to system takover attacks