September 17, 2025
Revised on April 8, 2026
Dear customers,
We would like to thank you for your continued support towards FUJIFILM Business Innovation products.
Vulnerabilities (CVE-2025-8355~8356)*1 have been found in Xerox FreeFlow Core, which is included in the Xerox FreeFlow Digital Workflow Collection.
- *1 Vulnerability information published by the National Institute of Standards and Technology (NIST)
We apologize for any inconvenience this may cause, but please check if your Xerox FreeFlow Core is compatible with the target version, and if so, take the following actions.
At the time of posting this notice, we have not confirmed any attacks that exploit this vulnerability.
We have found the following vulnerabilities in our product Xerox FreeFlow Core that lead to multiple remote code execution.
- CVE-2025-8355 (High): XXE leading to SSRF (CWE-611)
- CVE-2025-8356 (Critical): Path Traversal leading to RCE (CWE-22, CWE-94)
Xerox FreeFlow Core 7.0.0~7.0.11
- How to check the version
- After logging in, click the “?” mark in the upper right corner of the screen and select the “FreeFlow Core Information” menu.
-
- Check the version on the screen that appears.
The vulnerability disclosed this time is potentially present in the Xerox FreeFlow Core, which we provide and support as a product, but we do not provide this functionality as a product feature and do not disclose information about such functionality.
Therefore, vulnerabilities can be avoided as long as you operate within the scope of our functions in an environment protected by a properly configured firewall and follow the following "workarounds".
As a permanent measure, we have prepared a patch module version that addresses this vulnerability.
Supported Product: Xerox FreeFlow Core 8.1.0
The patch module can be downloaded from the URL below.
Installation Requirements: A valid license for Xerox FreeFlow Core 8.1.0 is required for installation. Please contact our sales representative for license inquiries.
Important Notice: If you install the patch without obtaining the necessary license, Xerox FreeFlow Core 8.1.0 will not function properly.
Even if you do not install Xerox FreeFlow Core 8.1.0, the patched version described above, there is no risk of this vulnerability if your environment has a properly configured firewall protecting the relevant port from unauthorized external access. Furthermore, by implementing the measures below, the risk of the vulnerability can be reduced regardless of the network environment in which Xerox FreeFlow Core is used.
- Do not allow connection to a specific port (4004)*2.
- *2 The following is how to check the status of a specific port (4004) and how to stop if connection is allowed.
- Customers who have a software support contract
Please contact the Fujifilm Business Innovation subsidiary/distributor where you purchased your software. - Customers who do not have a software support contract
Please contact the distributor where you purchased your software.