Cyber Resilience

CVE-2025-36845

HighPublic PoCUpdated

Published: 21 July 2025

Published
21 July 2025
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0158 72.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-36845 is a high-severity SSRF (CWE-918) vulnerability in Eveo Urve Web Manager. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-36845 is a server-side request forgery vulnerability in Eveo URVE Web Manager version 27.02.2025. The affected component is the /_internal/redirect.php endpoint, which accepts an arbitrary URL parameter, issues an outbound request to that address, and returns the fetched content in its response. This permits an attacker to reach network locations accessible only to the application server itself. The issue carries a CVSS 3.1 score of 8.6 and is classified under CWE-918.

Unauthenticated remote attackers can exploit the flaw over the network to force the server to retrieve internal resources, potentially disclosing sensitive data or interacting with otherwise unreachable services. No user interaction or credentials are required, and the attack can cross trust boundaries because the server acts as the requesting client.

Public advisories referencing the issue are available at https://smartoffice.expert/en and https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt.

The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0813 before settling at the current value of 0.0580, indicating emerging exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This…

more

can be used to request endpoints only reachable by the application server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing web app directly enables T1190 exploitation; description explicitly calls out access to metadata services/private APIs, mapping to T1522 and credential access via T1552.005.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36846Same product: Eveo Urve Web Manager
CVE-2026-27732Shared CWE-918
CVE-2026-27706Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2026-30844Shared CWE-918
CVE-2026-31017Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-32255Shared CWE-918
CVE-2026-33039Shared CWE-918
CVE-2026-28680Shared CWE-918

Affected Assets

eveo
urve web manager
27.02.2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the user-supplied URL input to the /_internal/redirect.php endpoint, preventing SSRF by rejecting unauthorized or malformed URLs.

prevent

Enforces information flow control policies to restrict the web application server from making requests to internal-only resources coerced by SSRF.

prevent

Implements boundary protection at internal interfaces to block or monitor unauthorized server-initiated requests to sensitive internal endpoints via SSRF.

References