CVE-2025-10764 is a Server-Side Request Forgery (SSRF) vulnerability identified in SeriaWei's ZKEACMS content management system, specifically affecting versions 4.0 through 4.3. The vulnerability resides in the Edit function of the PendingTaskController.cs file within the Event Action System component. An attacker can manipulate the 'Data' argument passed to this function to induce the server to make unauthorized HTTP requests to internal or external resources. SSRF vulnerabilities allow attackers to bypass network access controls, potentially accessing internal services that are not exposed externally, leading to information disclosure, internal network reconnaissance, or further exploitation. The vulnerability can be exploited remotely without requiring user interaction or authentication, increasing its risk profile. Although the vendor was notified early, no response or patch has been provided, and a public exploit is available, which raises the likelihood of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the vulnerability's moderate impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. However, the vulnerability's scope is limited to the ZKEACMS product and its Event Action System component. No known exploits in the wild have been reported yet, but the availability of a public exploit increases the urgency for mitigation.

For European organizations using ZKEACMS versions 4.0 to 4.3, this SSRF vulnerability poses a significant risk. Attackers could leverage it to access internal network resources, potentially bypassing firewalls and other perimeter defenses. This could lead to unauthorized access to sensitive internal services such as databases, internal APIs, or cloud metadata services, resulting in data leakage or further compromise. The ability to perform SSRF without authentication or user interaction means attackers can automate exploitation at scale. Organizations relying on ZKEACMS for web content management, especially those hosting sensitive or regulated data, could face confidentiality breaches and service disruptions. Given the lack of vendor response and patches, European entities may experience prolonged exposure. Additionally, SSRF can be a stepping stone for lateral movement within networks, increasing the risk of broader compromise. The medium severity score suggests moderate but tangible risk, especially in environments where ZKEACMS is integrated with critical internal systems.

1. Immediate mitigation should include restricting network egress from the ZKEACMS server to only necessary destinations, using firewall rules or network segmentation to limit the impact of SSRF exploitation. 2. Implement strict input validation and sanitization on the 'Data' parameter in the PendingTaskController's Edit function to block malicious URLs or IP addresses, including localhost and private IP ranges. 3. Deploy web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting ZKEACMS endpoints. 4. Monitor logs for unusual outbound HTTP requests originating from the CMS server, which may indicate exploitation attempts. 5. If feasible, isolate the CMS server in a dedicated network segment with minimal access to internal resources. 6. Engage with SeriaWei or community forums to track any forthcoming patches or unofficial fixes and apply them promptly once available. 7. Consider temporary replacement or removal of the vulnerable Event Action System component if it is not critical to operations. 8. Conduct internal penetration testing focused on SSRF vectors to identify and remediate similar weaknesses in the environment.