CVE-2025-36846 is a critical security vulnerability identified in the Eveo URVE Web Manager version 27.02.2025. The vulnerability arises from an insecure implementation of a localhost endpoint located at /_internal/pc/vpro.php, which is exposed to unauthenticated users. This endpoint accepts an input parameter that is directly passed to the PHP shell_exec() function without proper sanitization or validation, leading to an OS Command Injection vulnerability. This flaw allows an attacker to execute arbitrary operating system commands on the server hosting the application. The vulnerability is particularly dangerous because it does not require authentication, meaning any remote attacker who can reach the endpoint can exploit it. Additionally, the vulnerability can be chained with CVE-2025-36845, potentially amplifying the impact or enabling further exploitation vectors. Although no CVSS score has been assigned yet, the nature of the vulnerability indicates a high risk due to the ability to execute arbitrary commands remotely, which could lead to full system compromise, data theft, or disruption of services. The lack of available patches or mitigations at the time of publication increases the urgency for affected organizations to implement protective measures.

For European organizations using Eveo URVE Web Manager 27.02.2025, this vulnerability poses a significant risk to confidentiality, integrity, and availability of their systems. Exploitation could allow attackers to gain unauthorized access to sensitive data, manipulate or delete critical information, and disrupt operational continuity by executing destructive commands. Given that the endpoint is unauthenticated, attackers do not need valid credentials, increasing the likelihood of exploitation. The ability to chain this vulnerability with CVE-2025-36845 could enable attackers to escalate privileges or move laterally within networks, further compromising organizational security. This threat is particularly concerning for sectors with critical infrastructure or sensitive data, such as finance, healthcare, and government agencies in Europe, where disruption or data breaches could have severe regulatory and reputational consequences.

To mitigate this vulnerability, European organizations should immediately restrict access to the /_internal/pc/vpro.php endpoint by implementing network-level controls such as firewall rules or access control lists (ACLs) to limit exposure to trusted internal IP addresses only. If possible, disable or remove the vulnerable endpoint entirely until a vendor patch is available. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to inject OS commands via this endpoint. Conduct thorough input validation and sanitization on all parameters passed to shell_exec() or similar functions to prevent injection attacks. Monitor logs for unusual command execution patterns or access attempts to the vulnerable endpoint. Organizations should also track vendor communications for patches or updates addressing this vulnerability and plan for prompt deployment once available. Additionally, perform internal network segmentation to limit the potential impact of a compromised system and conduct regular security assessments to identify similar vulnerabilities.