CVE-2025-36845 is a Server-Side Request Forgery (SSRF) vulnerability discovered in the Eveo URVE Web Manager version 27.02.2025. The vulnerability exists in the /_internal/redirect.php endpoint, which accepts a URL as input and makes a server-side request to that URL, subsequently reflecting the content in the response. This behavior allows an attacker to coerce the application server into making HTTP requests to arbitrary internal or external resources that may not be directly accessible from the attacker’s environment. SSRF vulnerabilities can be leveraged to access sensitive internal services, bypass network access controls, and potentially escalate attacks to internal systems. Since the endpoint reflects the content retrieved from the requested URL, attackers can use this to probe internal infrastructure, gather information about internal services, or exploit other vulnerabilities in internal endpoints. The vulnerability does not require authentication or user interaction, increasing its risk profile. No CVSS score has been assigned yet, and no known exploits are reported in the wild. The affected version is specified as 27.02.2025, but no patch or mitigation details are currently available.

For European organizations using Eveo URVE Web Manager, this SSRF vulnerability poses a significant risk to internal network security and data confidentiality. Organizations often deploy such management platforms within their internal networks or DMZs, where they have access to sensitive infrastructure components such as databases, internal APIs, or cloud metadata services. Exploitation could allow attackers to pivot from the exposed web application into internal systems, potentially leading to unauthorized data access, lateral movement, or disruption of critical services. Given the reflective nature of the vulnerability, attackers could also use it to exfiltrate data or perform reconnaissance on internal network topology. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, common across Europe. Additionally, the lack of authentication requirements means that attackers can exploit this vulnerability remotely without valid credentials, increasing the attack surface. The absence of a patch or mitigation guidance further elevates the risk until a fix is released and applied.

European organizations should immediately audit their deployment of Eveo URVE Web Manager to determine if they are running the affected version 27.02.2025. Until a patch is available, organizations should implement network-level controls to restrict the application server’s ability to make arbitrary outbound HTTP requests, such as firewall rules or egress filtering that limit requests to trusted destinations only. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the /_internal/redirect.php endpoint, especially those containing external or internal IP addresses or URLs. Application-level mitigations include disabling or restricting the functionality of the vulnerable endpoint if feasible, or implementing strict input validation and allowlisting of URLs that the redirect.php endpoint can access. Monitoring and logging of requests to this endpoint should be enhanced to detect potential exploitation attempts. Organizations should also prepare to deploy patches promptly once Eveo releases a fix. Finally, internal network segmentation and zero-trust principles should be reinforced to minimize the impact of any SSRF exploitation.