CVE-2025-36845
Published: 21 July 2025
Summary
CVE-2025-36845 is a high-severity SSRF (CWE-918) vulnerability in Eveo Urve Web Manager. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2025-36845 is a server-side request forgery vulnerability in Eveo URVE Web Manager version 27.02.2025. The affected component is the /_internal/redirect.php endpoint, which accepts an arbitrary URL parameter, issues an outbound request to that address, and returns the fetched content in its response. This permits an attacker to reach network locations accessible only to the application server itself. The issue carries a CVSS 3.1 score of 8.6 and is classified under CWE-918.
Unauthenticated remote attackers can exploit the flaw over the network to force the server to retrieve internal resources, potentially disclosing sensitive data or interacting with otherwise unreachable services. No user interaction or credentials are required, and the attack can cross trust boundaries because the server acts as the requesting client.
Public advisories referencing the issue are available at https://smartoffice.expert/en and https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt.
The EPSS score for this CVE rose from a low baseline to a recorded peak of 0.0813 before settling at the current value of 0.0580, indicating emerging exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22139
Vulnerability details
An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This…
more
can be used to request endpoints only reachable by the application server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables T1190 exploitation; description explicitly calls out access to metadata services/private APIs, mapping to T1522 and credential access via T1552.005.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the user-supplied URL input to the /_internal/redirect.php endpoint, preventing SSRF by rejecting unauthorized or malformed URLs.
Enforces information flow control policies to restrict the web application server from making requests to internal-only resources coerced by SSRF.
Implements boundary protection at internal interfaces to block or monitor unauthorized server-initiated requests to sensitive internal endpoints via SSRF.