CVE-2025-13809 is a medium severity server-side request forgery vulnerability affecting orionsec's orion-ops product up to commit 5925824997a3109651bbde07460958a7be249ed1. The vulnerability exists in the SSH Connection Handler component, specifically within the MachineInfoController.java source file. The flaw is due to insufficient validation and sanitization of input parameters—host, sshPort, username, password, and authType—used to establish SSH connections. An attacker with low privileges and no user interaction can remotely exploit this vulnerability by manipulating these parameters to coerce the server into sending crafted requests to arbitrary internal or external network resources. This can lead to unauthorized internal network scanning, access to sensitive internal services, or interaction with cloud metadata endpoints, potentially exposing confidential information or enabling further attacks. The vulnerability does not require authentication but does require low privileges, which may be achievable through other means depending on deployment. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality, integrity, and availability. The vendor was contacted but did not respond, and no patch or mitigation guidance has been published yet. Although no known exploits are currently in the wild, public disclosure increases the risk of exploitation. Organizations using orion-ops should monitor for updates and consider network-level controls to restrict outbound requests from the affected service.

For European organizations, exploitation of this SSRF vulnerability could allow attackers to pivot from the compromised orion-ops server into internal networks, potentially accessing sensitive internal services, databases, or cloud metadata endpoints. This could lead to data leakage, unauthorized access, or further compromise of internal infrastructure. Given orion-ops is a tool related to SSH connection management, organizations relying on it for infrastructure operations may face disruption or risk exposure of critical operational data. The medium severity rating reflects moderate impact but ease of exploitation without user interaction. The lack of vendor response and patch availability increases risk exposure. Organizations in sectors with high reliance on secure infrastructure management, such as finance, energy, and government, may be particularly impacted. Additionally, the ability to perform SSRF attacks can facilitate reconnaissance and lateral movement within networks, increasing the overall attack surface and risk of more severe follow-on attacks.

1. Immediately restrict network egress from the orion-ops server to only trusted destinations, using firewall rules or network segmentation, to limit SSRF exploitation scope. 2. Monitor and log all outbound requests originating from orion-ops to detect anomalous or unauthorized connections. 3. If possible, disable or restrict the vulnerable SSH Connection Handler functionality until a patch is available. 4. Employ web application firewalls (WAFs) or reverse proxies with SSRF detection capabilities to filter malicious requests targeting the vulnerable endpoints. 5. Conduct internal audits to identify any low-privilege accounts or services that could be leveraged to exploit this vulnerability and harden their access controls. 6. Stay alert for vendor updates or community patches and apply them promptly once released. 7. Educate operational teams about the risks of SSRF and encourage reporting of suspicious network activity related to orion-ops. 8. Consider deploying network-level DNS filtering to prevent resolution of unauthorized domains that could be targeted by SSRF attacks.