CVE-2025-63551 is a Server-Side Request Forgery (SSRF) vulnerability rooted in an XML External Entity (XXE) injection within the MetInfo Content Management System (CMS) up to version 8.1. The vulnerability arises from improper XML parsing logic that fails to securely handle user-supplied XML data. Specifically, the backend API endpoint accessible via /admin/#/webset/?head_tab_active=0 processes XML input that can be crafted by an attacker to include malicious XML entities. These entities exploit the XML parser to force the server to initiate HTTP requests to arbitrary internal or external network addresses. This SSRF capability enables attackers to perform internal network reconnaissance, such as port scanning, or to retrieve sensitive information from internal services that are otherwise inaccessible externally. The flaw does not require any authentication or user interaction, making it remotely exploitable by unauthenticated attackers over the network. The vulnerability is categorized under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-918 (Server-Side Request Forgery). With a CVSS v3.1 base score of 7.5, the vulnerability is considered high severity due to its high confidentiality impact, low attack complexity, and no privileges or user interaction required. Although no public exploits have been reported yet, the nature of SSRF and XXE vulnerabilities historically makes them attractive targets for attackers aiming to pivot into internal networks or exfiltrate sensitive data. The lack of available patches at the time of reporting necessitates immediate attention from organizations using MetInfo CMS to implement mitigations or monitor for suspicious activity.

For European organizations, exploitation of CVE-2025-63551 could lead to significant confidentiality breaches by allowing attackers to access internal network resources that are typically protected by firewalls or network segmentation. This could expose sensitive internal services, databases, or configuration endpoints, potentially leading to further compromise or data leakage. The ability to perform internal reconnaissance and port scanning can facilitate lateral movement within corporate networks, increasing the risk of more severe attacks such as ransomware or espionage. Public sector entities, financial institutions, and critical infrastructure operators using MetInfo CMS are particularly at risk due to the sensitive nature of their internal networks. Additionally, the vulnerability could undermine trust in web-facing services and damage organizational reputation if exploited. The absence of authentication requirements means attackers can exploit this remotely without prior access, increasing the threat surface. Given the high confidentiality impact and ease of exploitation, European organizations must treat this vulnerability as a priority to avoid potential data breaches and operational disruptions.

1. Immediate mitigation should include disabling XML external entity processing in the MetInfo CMS XML parser configuration if possible, to prevent XXE attacks. 2. Implement strict input validation and sanitization on all XML inputs, especially those processed by the /admin/#/webset/?head_tab_active=0 endpoint, to reject malicious XML entities. 3. Employ network-level controls such as egress filtering and internal firewall rules to restrict the server's ability to make arbitrary outbound HTTP requests, limiting SSRF impact. 4. Monitor server logs and network traffic for unusual outbound requests originating from the CMS server, which may indicate exploitation attempts. 5. If patches become available, prioritize their timely application. 6. Conduct internal network segmentation to minimize sensitive resource exposure to compromised web servers. 7. Use Web Application Firewalls (WAFs) with rules designed to detect and block SSRF and XXE attack patterns targeting XML inputs. 8. Educate development and security teams about secure XML parsing practices and SSRF risks to prevent similar vulnerabilities in future deployments.