CVE-2025-36845
Published: 21 July 2025
Summary
CVE-2025-36845 is a high-severity SSRF (CWE-918) vulnerability in Eveo Urve Web Manager. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the user-supplied URL input to the /_internal/redirect.php endpoint, preventing SSRF by rejecting unauthorized or malformed URLs.
Enforces information flow control policies to restrict the web application server from making requests to internal-only resources coerced by SSRF.
Implements boundary protection at internal interfaces to block or monitor unauthorized server-initiated requests to sensitive internal endpoints via SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables T1190 exploitation; description explicitly calls out access to metadata services/private APIs, mapping to T1522 and credential access via T1552.005.
NVD Description
An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This…
more
can be used to request endpoints only reachable by the application server.
Deeper analysisAI
CVE-2025-36845 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, discovered in Eveo URVE Web Manager version 27.02.2025. The issue affects the endpoint /_internal/redirect.php, which accepts a URL as input, initiates a request to that address from the server, and reflects the response content back to the user. This flaw enables attackers to coerce the server into accessing resources that are only reachable from the application's internal network.
The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, no authentication or user interaction required, and a changed scope leading to high confidentiality impact. Remote unauthenticated attackers can submit a crafted URL to the endpoint, tricking the server into fetching and disclosing sensitive internal endpoints or services inaccessible from the public internet, such as metadata services or private APIs.
Mitigation details are available in advisories published by SYSS (SYSS-2025-035 at https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt) and at https://smartoffice.expert/en. Security practitioners should consult these sources for patching instructions or workarounds specific to Eveo URVE Web Manager.
Details
- CWE(s)