CVE-2025-60898 is a critical SSRF vulnerability affecting the Thumbnail via-uri endpoint in Halo CMS version 2.21. The vulnerability allows an unauthenticated remote attacker to supply arbitrary URIs to the server, which then issues HTTP GET requests to these URIs without adequate allowlist or blocklist validation. This behavior enables attackers to force the server to interact with internal or otherwise restricted network resources, potentially bypassing firewall protections. Additionally, the server responds with a 307 redirect that includes the Location header containing the requested URL, which can disclose sensitive internal network information. The lack of authentication requirements and the direct server-side request execution make this vulnerability particularly dangerous. Although no patches or exploit code are currently published, the flaw can be leveraged for internal network reconnaissance, information disclosure, and as a pivot point for further attacks within the victim's infrastructure. The vulnerability highlights insufficient input validation and improper handling of user-supplied URIs in the CMS's thumbnail generation feature.

For European organizations using Halo CMS 2.21, this SSRF vulnerability can lead to significant internal network exposure. Attackers can leverage the flaw to scan and interact with internal services that are otherwise inaccessible externally, potentially discovering sensitive information such as internal IP addresses, metadata services, or administrative interfaces. This can facilitate lateral movement, privilege escalation, or data exfiltration. Confidentiality is primarily at risk due to internal URL disclosure via the 307 redirect. Integrity and availability impacts are possible if attackers use SSRF to trigger unintended actions on internal services. Given the unauthenticated nature of the exploit, any public-facing Halo CMS instance is vulnerable, increasing the attack surface. The vulnerability could be exploited as an initial foothold or reconnaissance tool in targeted attacks against European enterprises, government agencies, or critical infrastructure operators using this CMS.

Immediate mitigation should include restricting or disabling the Thumbnail via-uri endpoint if possible until a patch is available. Implement strict allowlist validation on user-supplied URIs to ensure only trusted domains or IP ranges are requested. Employ network-level controls such as egress filtering and internal firewall rules to prevent the CMS server from making arbitrary outbound HTTP requests to internal or sensitive network segments. Monitor logs for unusual or unexpected requests to the vulnerable endpoint and anomalous outbound connections from the CMS server. If feasible, deploy a web application firewall (WAF) with custom rules to detect and block SSRF patterns targeting the via-uri endpoint. Coordinate with the Halo CMS vendor for official patches or updates addressing this vulnerability. Conduct internal network segmentation to limit the impact of SSRF exploitation and reduce exposure of critical services.