CVE-2025-1833
Published: 02 March 2025
Summary
CVE-2025-1833 is a medium-severity SSRF (CWE-918) vulnerability in Zframeworks Zz. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SSRF by validating the manipulated 'url' argument in the sendNotice function to ensure only safe inputs are accepted.
Restricts the 'url' parameter to authorized formats, domains, or schemes, preventing forgery to unintended destinations.
Enforces approved information flows from the HTTP Request Handler, blocking unauthorized server-side requests triggered by the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing HTTP endpoint (T1190) enables attackers to forge requests for internal remote system discovery (T1018) and network service discovery (T1046).
NVD Description
A vulnerability, which was classified as critical, has been found in zj1983 zz up to 2024-8. Affected by this issue is the function sendNotice of the file src/main/java/com/futvan/z/erp/customer_notice/Customer_noticeAction.java of the component HTTP Request Handler. The manipulation of the argument url…
more
leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1833 is a server-side request forgery (SSRF) vulnerability classified as critical in the zj1983 zz software up to version 2024-8. It affects the sendNotice function within the file src/main/java/com/futvan/z/erp/customer_notice/Customer_noticeAction.java, part of the HTTP Request Handler component. The issue, tied to CWE-918, arises from manipulation of the url argument and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-03-02.
Attackers with low privileges (PR:L) can exploit this remotely over the network with low complexity and no user interaction required. By supplying a malicious url argument to the sendNotice function, they can force the server to make unintended requests, potentially leading to limited impacts on confidentiality, integrity, and availability as per the CVSS vector.
Advisories from VulDB and GitHub repositories detail the issue, including a public proof-of-concept exploit. The vendor was contacted early but provided no response, and no patches or official mitigations are mentioned in the available references.
The exploit has been publicly disclosed and may be actively used, increasing the risk for exposed instances of affected zj1983 zz deployments.
Details
- CWE(s)