Cyber Resilience

CVE-2025-36846

CriticalPublic PoCRCE

Published: 21 July 2025

Published
21 July 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5843 98.2th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-36846 is a critical-severity OS Command Injection (CWE-78) vulnerability in Eveo Urve Web Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Eveo URVE Web Manager version 27.02.2025 contains an OS command injection vulnerability in the /_internal/pc/vpro.php endpoint. The endpoint is reachable by unauthenticated users and passes an input parameter directly to PHP's shell_exec function, enabling arbitrary command execution on the underlying system. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.8.

An attacker with network access can supply crafted input to the endpoint and execute operating-system commands without authentication. The issue can be chained with CVE-2025-36845 to expand the attack surface, potentially resulting in full compromise of confidentiality, integrity, and availability on the affected host.

Public advisories from Syss and the vendor note the exposure of the internal endpoint and recommend applying available updates or restricting access to the affected PHP script. The current EPSS score of 0.5843, with a recorded peak of 0.6011, indicates sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shell_exec()…

more

function of PHP. NOTE: this can be chained with CVE-2025-36845.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated OS command injection in a web endpoint enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-36845Same product: Eveo Urve Web Manager
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78

Affected Assets

eveo
urve web manager
27.02.2025

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation and sanitization of the input parameter passed to PHP's shell_exec() function.

prevent

Requires identification, reporting, and correction of the specific command injection flaw in the /_internal/pc/vpro.php endpoint, such as through vendor patches.

prevent

Enforces logical access controls to prevent unauthenticated remote access to the exposed internal endpoint vulnerable to command injection.

References