CVE-2025-45475 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Friend Link Management functionality of maccms10 version 2025.1000.4047. SSRF vulnerabilities occur when an attacker can manipulate a server to make HTTP requests to arbitrary domains or internal systems that the attacker cannot directly access. In this case, the vulnerability allows an attacker with at least low privileges (PR:L) to induce the server to send crafted requests without requiring user interaction (UI:N). The vulnerability has a CVSS 3.1 base score of 5.4, indicating a medium severity level. The attack vector is network-based (AV:N), and the attack complexity is low (AC:L), meaning exploitation is relatively straightforward once the attacker has the required privileges. The impact primarily affects confidentiality (C:L) and availability (A:L), with no direct impact on integrity (I:N). This suggests that an attacker could use the SSRF to access internal resources or services that are otherwise inaccessible, potentially leaking sensitive information or causing denial-of-service conditions by overwhelming internal services. The vulnerability is categorized under CWE-918, which specifically relates to SSRF issues. No public exploits are currently known, and no patches or vendor advisories have been linked yet. The lack of a specified vendor or product name beyond maccms10 limits the ability to identify the exact scope of affected deployments. However, maccms10 is a content management system (CMS) often used for media and video content websites, which may be deployed in various organizational environments.

For European organizations, this SSRF vulnerability poses a moderate risk, especially for those using maccms10 CMS or similar platforms with Friend Link Management features. Exploitation could allow attackers to pivot into internal networks, accessing sensitive internal services such as databases, metadata services, or internal APIs that are not exposed externally. This could lead to unauthorized data disclosure or service disruption. Given the medium severity, the threat is not immediately critical but could be leveraged as part of a multi-stage attack chain, especially in environments where internal network segmentation is weak. Organizations handling sensitive personal data under GDPR could face compliance risks if internal data is exposed. Additionally, availability impacts could disrupt web services, affecting business continuity. The requirement for low privileges means that an attacker would need some level of access, such as a compromised user account, which raises the importance of strong access controls and monitoring. The absence of known exploits suggests that immediate widespread attacks are unlikely, but proactive mitigation is advisable.

1. Restrict and validate all user inputs in the Friend Link Management feature to ensure URLs or requests cannot be manipulated to target internal or unauthorized endpoints. 2. Implement strict allowlists for outbound requests initiated by the CMS, limiting them to known safe domains. 3. Apply network segmentation and firewall rules to prevent the CMS server from making arbitrary requests to internal services that should not be externally accessible. 4. Monitor logs for unusual outbound request patterns originating from the CMS, especially to internal IP ranges or unexpected external domains. 5. Enforce the principle of least privilege for user accounts, minimizing the number of users with access to Friend Link Management. 6. Stay alert for vendor patches or updates addressing this vulnerability and apply them promptly once available. 7. Conduct regular security assessments and penetration tests focusing on SSRF and related web vulnerabilities in the CMS environment. 8. Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block SSRF attempts targeting the CMS.