CVE-2025-13789 is a server-side request forgery vulnerability identified in the ZenTao project management software, affecting versions up to 21.7.6-8564. The vulnerability exists in the makeRequest function within the module/ai/model.php file, where the Base argument can be manipulated by an attacker. This manipulation allows an attacker to coerce the vulnerable server to send HTTP requests to arbitrary internal or external resources. SSRF vulnerabilities are particularly dangerous because they can be leveraged to access internal services that are not directly exposed to the internet, potentially leading to data exfiltration, internal network reconnaissance, or pivoting attacks. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently reported in the wild, the public availability of exploit details increases the likelihood of exploitation attempts. The recommended mitigation is to upgrade ZenTao to version 21.7.6 or later, which addresses the vulnerability. Additional mitigations include network-level restrictions on outbound requests from the ZenTao server and monitoring for anomalous request patterns.

For European organizations, the SSRF vulnerability in ZenTao poses a risk of unauthorized internal network access, which could lead to exposure of sensitive internal services, data leakage, or further compromise of internal systems. Organizations using ZenTao for managing software development or project workflows may have critical business processes impacted if attackers exploit this vulnerability. The ability to send arbitrary requests from the server can facilitate lateral movement within corporate networks or cloud environments, potentially affecting confidentiality and integrity of internal data. Given the medium CVSS score, the impact is moderate but could escalate depending on the internal network architecture and the presence of sensitive services accessible from the ZenTao server. The vulnerability's remote exploitability without authentication increases the urgency for timely patching. European entities in sectors such as finance, government, and technology that rely on ZenTao are particularly at risk due to the potential for targeted attacks leveraging SSRF to access protected resources.

1. Immediately upgrade ZenTao installations to version 21.7.6 or later to apply the official patch addressing CVE-2025-13789. 2. Implement strict egress filtering on the network to restrict the ZenTao server's ability to initiate outbound HTTP requests to only trusted destinations. 3. Use web application firewalls (WAFs) to detect and block suspicious SSRF payloads targeting the makeRequest function. 4. Conduct internal network segmentation to limit the exposure of sensitive services that could be accessed via SSRF. 5. Monitor server logs and network traffic for unusual internal requests or patterns indicative of SSRF exploitation attempts. 6. Review and harden application code and configurations to validate and sanitize all user-controllable inputs, especially those used in server-side requests. 7. Educate development and security teams about SSRF risks and ensure secure coding practices are followed in future updates.