CVE-2025-11674 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, affecting PiExtract's SOOP-CLM software versions 5.2 and 5.3. SSRF vulnerabilities occur when an attacker can abuse a server's functionality to send crafted requests from the server itself to internal or external systems that the attacker cannot directly access. In this case, the vulnerability allows privileged remote attackers to coerce the SOOP-CLM server into making unauthorized requests, which can lead to reading sensitive files on the server or probing internal network resources that are otherwise inaccessible externally. The vulnerability requires the attacker to have high privileges on the system, but does not require user interaction, making exploitation feasible once access is obtained. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), high privileges required (PR:H), no user interaction (UI:N), and high impact on confidentiality (VC:H) with no impact on integrity or availability. This suggests that the primary risk is unauthorized disclosure of sensitive information rather than disruption or modification of data. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, the vulnerability poses a significant risk for internal reconnaissance and data leakage within affected environments. SOOP-CLM is a contract lifecycle management product, often used in enterprise environments, which may contain sensitive contractual and organizational data, increasing the potential impact of this vulnerability.

For European organizations, the impact of CVE-2025-11674 can be substantial, especially for those relying on SOOP-CLM for managing sensitive contracts and internal workflows. Exploitation could lead to unauthorized disclosure of confidential contract details, intellectual property, or internal network architecture. This could facilitate further attacks such as lateral movement, privilege escalation, or targeted espionage. Organizations in regulated sectors such as finance, healthcare, and government may face compliance violations and reputational damage if sensitive data is exposed. Additionally, internal network probing could reveal critical infrastructure components, increasing the risk of subsequent attacks. The requirement for high privileges to exploit somewhat limits the threat to insiders or attackers who have already compromised an account with elevated rights, but this does not eliminate the risk, as privilege escalation is a common attack step. The absence of known exploits in the wild provides a window for proactive mitigation, but organizations should not delay remediation. The medium severity rating reflects the balance between the potential impact and the exploitation complexity.

To mitigate CVE-2025-11674 effectively, European organizations should: 1) Apply vendor patches immediately once available; since no patch links are currently provided, maintain close contact with PiExtract for updates. 2) Restrict network access to SOOP-CLM servers, especially limiting outbound requests from these servers to only trusted destinations to reduce SSRF exploitation scope. 3) Implement strict input validation and sanitization on any user-controllable parameters that influence server-side requests to prevent malicious request injection. 4) Employ network segmentation to isolate SOOP-CLM servers from sensitive internal systems, minimizing the impact of internal network probing. 5) Monitor logs and network traffic for unusual or unexpected server requests that could indicate SSRF attempts. 6) Enforce the principle of least privilege rigorously to reduce the number of users with high privileges capable of exploiting this vulnerability. 7) Conduct regular security assessments and penetration testing focused on SSRF and related vulnerabilities in SOOP-CLM deployments. 8) Consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities to provide an additional layer of defense.