CVE-2025-13789 is a Server-Side Request Forgery (SSRF) vulnerability identified in the ZenTao project management software, affecting versions up to 21.7.6-8564. The flaw resides in the makeRequest function of the module/ai/model.php file, where the 'Base' argument can be manipulated by an attacker to force the server to initiate HTTP requests to arbitrary destinations. SSRF vulnerabilities allow attackers to bypass network access controls by leveraging the vulnerable server as a proxy, potentially accessing internal services, metadata endpoints, or other restricted resources not directly reachable from the attacker’s location. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation in the wild has been reported, public exploit code availability raises the risk of future attacks. The recommended mitigation is to upgrade ZenTao to version 21.7.6 or later, where the vulnerability has been addressed. Organizations should also review network segmentation and restrict outbound requests from application servers to limit SSRF impact.

For European organizations, this SSRF vulnerability in ZenTao can lead to unauthorized internal network reconnaissance, potentially exposing sensitive internal services, configuration endpoints, or cloud metadata services. This can facilitate further attacks such as data exfiltration, lateral movement, or privilege escalation within the network. Since ZenTao is used for project management and software development lifecycle management, compromise could also impact project confidentiality and integrity. The medium severity rating reflects limited direct impact on system availability or data integrity but highlights the risk of indirect exploitation paths. Organizations with ZenTao deployments accessible from the internet or untrusted networks are particularly at risk. The vulnerability could be leveraged by attackers to bypass firewall rules and access internal resources, increasing the attack surface and complicating incident response efforts.

1. Upgrade ZenTao installations immediately to version 21.7.6 or later to apply the official patch addressing the SSRF vulnerability. 2. Implement strict egress filtering on servers running ZenTao to restrict outbound HTTP/HTTPS requests only to trusted destinations, minimizing SSRF exploitation scope. 3. Employ network segmentation to isolate application servers from sensitive internal services and metadata endpoints. 4. Monitor application logs and network traffic for unusual outbound requests originating from ZenTao servers, which may indicate exploitation attempts. 5. Conduct regular security assessments and penetration tests focusing on SSRF and related vulnerabilities in web applications. 6. Educate development and operations teams about SSRF risks and secure coding practices to prevent similar issues in custom integrations or plugins.