Xerox Corporation has issued urgent security updates addressing two high-impact vulnerabilities in its FreeFlow Core software. The flaws, now tracked as CVE-2025-8355 and CVE-2025-8356, have the potential to expose enterprise environments to server-side request forgery (SSRF) and remote code execution (RCE) attacks if left unpatched.
Disclosed in Security Bulletin XRX25-013, published on August 8, 2025, the vulnerabilities specifically impact FreeFlow Core version 8.0.4. Xerox has categorized both vulnerabilities as “IMPORTANT” in severity and urges users to upgrade to version 8.0.5, which contains the necessary security fixes.
Details of the Xerox Vulnerabilities: CVE-2025-8355 and CVE-2025-8356
The first issue, CVE-2025-8355, arises from an XML External Entity (XXE) processing flaw. In affected systems, improperly sanitized XML input can allow attackers to manipulate entity declarations, enabling SSRF attacks. This allows an adversary to craft XML payloads that force the server to initiate unintended requests to internal services or external targets. Such requests can be used to probe internal infrastructure, exfiltrate data, or bypass access controls.
The second vulnerability, CVE-2025-8356, is a path traversal flaw that may lead to remote code execution. By exploiting poorly validated file path inputs, an attacker could access directories outside the intended scope of the application. If leveraged correctly, this vulnerability could allow malicious actors to execute arbitrary code on the host system, resulting in a complete system compromise.
Both flaws are rated under the Common Vulnerability Scoring System (CVSS) 3.1 with a base score of 7.5, classified as “HIGH” by Xerox. The associated vector string is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
However, it’s worth noting that the National Vulnerability Database (NVD) has not yet published its own CVSS assessment at the time of the bulletin’s release.
Discovery and Responsible Disclosure
These vulnerabilities in Xerox systems were discovered by Jimi Sebree, a security researcher with Horizon3.ai. Sebree collaborated directly with Xerox’s internal security team to ensure a coordinated disclosure and timely patch release.
Xerox acknowledged the researcher’s role in the bulletin, stating:
“Thank you to Jimi Sebree with Horizon3.ai for working with the Xerox Team to identify and mitigate these vulnerabilities.”
This responsible disclosure process enabled Xerox to develop and test patches before the flaws became widely known, reducing the potential for exploitation in the wild.
Risks to Organizations
The presence of both CVE-2025-8355 and CVE-2025-8356 in FreeFlow Core 8.0.4 elevates the cyber threats for organizations relying on the platform for document workflow automation. Exploiting these vulnerabilities could lead to:
- Unauthorized access to internal services via SSRF
- Exposure or theft of sensitive information
- Execution of malicious code on Xerox servers
- Full system compromise
- Broader network reconnaissance and lateral movement
Given the critical role that FreeFlow Core plays in document processing infrastructures, these issues could severely disrupt business operations and compromise sensitive data if not addressed.
Conclusion
To address the critical Xerox vulnerabilities identified as CVE-2025-8355 and CVE-2025-8356, organizations are strongly advised to upgrade to FreeFlow Core version 8.0.5 immediately, as it contains essential patches to prevent SSRF and remote code execution attacks.
The update is available through Xerox’s official support channels. In addition to applying the patch, system administrators should audit current deployments, enforce proper network segmentation, implement strict input validation for XML processing, and monitor logs for unusual activity.
