Xerox FreeFlow Core RCE Vulnerabilities-PoC Released

A critical vulnerabilities in Xerox FreeFlow Core that enable unauthenticated remote attackers to achieve remote code execution on vulnerable systems.

The vulnerabilities, discovered during investigation of an apparent false positive detection, affect the widely-deployed print orchestration platform used by commercial print shops, universities, and government agencies worldwide.

The investigation uncovered two significant security vulnerabilities in Xerox FreeFlow Core: an XML External Entity (XXE) injection vulnerability tracked as CVE-2025-8355 and a path traversal vulnerability designated CVE-2025-8356.

Both vulnerabilities are easily exploitable and pose severe risks to organizations running vulnerable instances of the print workflow management system.

FreeFlow Core serves as a comprehensive print orchestration platform designed for prepress automation workflows in large-scale printing operations.

The system’s architecture includes multiple interconnected services that require relatively open access and availability, making it an attractive target for attackers seeking to compromise environments containing sensitive pre-publication marketing materials and confidential documents.

The discovery originated from what appeared to be a false positive detection by NodeZero, Horizon3.ai’s autonomous penetration testing platform.

Despite the target product not being installed on the affected host, the system continued receiving callbacks indicating successful XXE exploitation, prompting deeper investigation that ultimately revealed the underlying vulnerabilities.

Xerox FreeFlow Core RCE Vulnerability

CVE-2025-8355 affects the JMF Client service listening on port 4004, which handles Job Message Format messages for managing print jobs and status reporting.

The vulnerability stems from improper sanitization in XML parsing utilities within the jmfclient.jar binary, allowing attackers to perform server-side request forgery (SSRF) attacks through malicious XML external entity references.

The more severe CVE-2025-8356 represents a path traversal vulnerability in the file processing mechanism of JMF commands.

Security researchers discovered that the processIncomingRQEMessage() function fails to properly validate file paths during upload operations, enabling attackers to traverse directory structures and place malicious files in publicly accessible locations.

Exploitation of CVE-2025-8356 allows attackers to upload webshells and achieve remote code execution through the primary web portals that provide file serving functionality.

The company delivered preview patches by July 30, 2025, which researchers confirmed successfully addressed the original proof-of-concept exploits. Official patches and security advisories were released on August 8, 2025.

The combination of both vulnerabilities creates a potent attack vector for compromising FreeFlow Core installations without requiring authentication.

Xerox Patches Issues

Horizon3.ai disclosed both vulnerabilities to Xerox through responsible disclosure procedures beginning in June 2025.

The disclosure timeline shows collaborative efforts between the security researchers and Xerox, with initial contact established on June 12, 2025, and vulnerability details provided by June 24, 2025.

Xerox responded promptly to the disclosures, providing regular status updates throughout the remediation process.

The vulnerabilities have been resolved in Xerox FreeFlow Core version 8.0.5, and the company strongly encourages all users to upgrade immediately.

Coverage for detecting these vulnerabilities is already available in NodeZero’s autonomous penetration testing platform, providing organizations with tools to identify and remediate similar critical security vulnerabilities in their environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.