Xerox Corporation Issues Critical Security Update for FreeFlow Core Software
Xerox Corporation has released urgent security updates addressing significant vulnerabilities in its FreeFlow Core software. Identified as CVE-2025-8355 and CVE-2025-8356, these flaws can expose enterprise networks to severe threats, including server-side request forgery (SSRF) and remote code execution (RCE) attacks if not promptly addressed.
Overview of the Vulnerabilities
In its Security Bulletin XRX25-013, published on August 8, 2025, Xerox outlined that these vulnerabilities particularly affect FreeFlow Core version 8.0.4. The company has classified both vulnerabilities as “IMPORTANT”, urging users to upgrade to version 8.0.5, which resolves these security concerns.
Detailed Breakdown of CVE-2025-8355 and CVE-2025-8356
The first vulnerability, CVE-2025-8355, stems from an XML External Entity (XXE) processing flaw. When XML input is inadequately sanitized, attackers can manipulate entity declarations, leading to SSRF attacks. This vulnerability enables malicious actors to craft specific XML payloads that can direct the server to execute unauthorized requests to internal systems or external endpoints. Such access allows for probing internal infrastructure, data exfiltration, and potential circumvention of access controls.
The second vulnerability, CVE-2025-8356, involves a path traversal issue that might result in remote code execution. By taking advantage of poorly validated file path inputs, an attacker could reach directories beyond the intended scope of the application. If successfully exploited, this flaw could empower attackers to execute arbitrary code on the host system, potentially leading to complete system compromise.
Both vulnerabilities are rated highly under the Common Vulnerability Scoring System (CVSS) 3.1, scoring 7.5, designated as "HIGH" by Xerox. The CVSS vector string for these vulnerabilities is as follows:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
As of the bulletin’s release, the National Vulnerability Database (NVD) has yet to provide its own assessment of these vulnerabilities under the CVSS framework.
Responsible Disclosure and Discovery
These vulnerabilities were discovered by Jimi Sebree, a security researcher at Horizon3.ai, who collaborated closely with Xerox’s internal security team. Their joint efforts enabled a coordinated response, ensuring timely patch development and release. Xerox expressed gratitude for Sebree’s contribution, acknowledging the importance of responsible disclosure in mitigating potential risks.
Implications for Organizations
The presence of CVE-2025-8355 and CVE-2025-8356 in FreeFlow Core 8.0.4 poses significant cybersecurity risks for organizations utilizing the platform for document workflow automation. Exploiting these vulnerabilities could lead to serious consequences, including:
- Unauthorized access to internal services via SSRF.
- The exposure or theft of sensitive data.
- Execution of malicious code on Xerox servers.
- Full system compromise.
- Expanded network reconnaissance and lateral movement within the organization.
Given FreeFlow Core’s integral role in document processing infrastructures, unaddressed vulnerabilities may disrupt business operations and lead to compromised sensitive data.
Urgent Need for Action
To counteract the vulnerabilities identified as CVE-2025-8355 and CVE-2025-8356, organizations are strongly advised to update immediately to FreeFlow Core version 8.0.5, which includes critical patches addressing SSRF and remote code execution vulnerabilities. This update can be obtained through Xerox’s official support channels.
In addition to applying the patch, system administrators should conduct a thorough audit of current installations, enforce strong network segmentation, implement rigorous input validation for XML processing, and monitor system logs for any unusual activity. Taking these precautionary steps is essential to safeguarding against potential cyber threats.
