CVE-2025-52163 is a Server-Side Request Forgery (SSRF) vulnerability identified in the TunnelServlet component of agorum Software GmbH's Agorum core open versions 11.9.2 and 11.10.1. SSRF vulnerabilities occur when an attacker can manipulate a server-side application to send HTTP requests to arbitrary internal or external resources, potentially bypassing network access controls. In this case, the vulnerability allows an unauthenticated attacker to craft malicious requests that force the vulnerable TunnelServlet to initiate connections to arbitrary targets. This can lead to sensitive data exposure by accessing internal services that are not normally reachable from outside the network or by interacting with external systems in a way that reveals information. The CVSS v3.1 base score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality and integrity but not availability. The vulnerability is categorized under CWE-918 (Server-Side Request Forgery). No known exploits are currently reported in the wild, and no patches or mitigations have been published yet. The affected versions are specifically Agorum core open v11.9.2 and v11.10.1, which are used for document management and collaboration. The lack of authentication requirement and the ability to reach internal resources make this vulnerability particularly concerning in environments where sensitive internal services are accessible only through the affected application.

For European organizations using Agorum core open versions 11.9.2 or 11.10.1, this SSRF vulnerability poses a significant risk to internal network security and data confidentiality. Attackers could leverage this flaw to access internal-only services such as databases, internal APIs, or cloud metadata services, potentially extracting sensitive information or gaining footholds for further attacks. This is especially critical for organizations handling sensitive or regulated data, such as financial institutions, healthcare providers, and governmental agencies, which are prevalent across Europe. The exposure of internal resources could lead to data breaches, compliance violations (e.g., GDPR), and reputational damage. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely and at scale, increasing the threat surface. Additionally, the ability to interact with external resources could be abused for malicious activities such as scanning or attacking third parties, implicating the victim organization in broader cyber incidents. The absence of patches means organizations must rely on compensating controls until updates are available, increasing operational risk.

European organizations should immediately assess their exposure by identifying deployments of Agorum core open v11.9.2 and v11.10.1. Until official patches are released, the following specific mitigations are recommended: 1) Implement strict network segmentation and firewall rules to restrict the vulnerable server's outbound connections, limiting it to only necessary destinations and blocking access to sensitive internal services and cloud metadata endpoints. 2) Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SSRF payloads targeting the TunnelServlet endpoint. 3) Monitor application logs and network traffic for unusual outbound requests originating from the Agorum server, focusing on unexpected internal IP ranges or external destinations. 4) If feasible, temporarily disable or restrict access to the TunnelServlet component or the affected versions until patches are available. 5) Engage with agorum Software GmbH for updates and apply patches promptly once released. 6) Conduct internal security awareness to recognize potential exploitation signs and prepare incident response plans tailored to SSRF scenarios. These targeted measures go beyond generic advice by focusing on network-level controls and application-specific monitoring to mitigate this particular SSRF threat.