CVE-2025-36846
Published: 21 July 2025
Summary
CVE-2025-36846 is a critical-severity OS Command Injection (CWE-78) vulnerability in Eveo Urve Web Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Eveo URVE Web Manager version 27.02.2025 contains an OS command injection vulnerability in the /_internal/pc/vpro.php endpoint. The endpoint is reachable by unauthenticated users and passes an input parameter directly to PHP's shell_exec function, enabling arbitrary command execution on the underlying system. The flaw is tracked as CWE-78 and carries a CVSS 3.1 score of 9.8.
An attacker with network access can supply crafted input to the endpoint and execute operating-system commands without authentication. The issue can be chained with CVE-2025-36845 to expand the attack surface, potentially resulting in full compromise of confidentiality, integrity, and availability on the affected host.
Public advisories from Syss and the vendor note the exposure of the internal endpoint and recommend applying available updates or restricting access to the affected PHP script. The current EPSS score of 0.5843, with a recorded peak of 0.6011, indicates sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22140
Vulnerability details
An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shell_exec()…
more
function of PHP. NOTE: this can be chained with CVE-2025-36845.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated OS command injection in a web endpoint enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation and sanitization of the input parameter passed to PHP's shell_exec() function.
Requires identification, reporting, and correction of the specific command injection flaw in the /_internal/pc/vpro.php endpoint, such as through vendor patches.
Enforces logical access controls to prevent unauthenticated remote access to the exposed internal endpoint vulnerable to command injection.