CVE-2025-67623 is a Server-Side Request Forgery (SSRF) vulnerability identified in the 6Storage Rentals product, affecting all versions up to and including 2.19.9. SSRF vulnerabilities occur when an attacker can manipulate a vulnerable server to send crafted HTTP requests to arbitrary destinations, often internal or protected network resources that are otherwise inaccessible externally. This vulnerability does not require authentication or user interaction, making it highly exploitable remotely over the network. The CVSS 3.1 base score of 9.1 reflects its critical nature, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is high on confidentiality and integrity, as attackers can potentially access sensitive internal services, exfiltrate data, or perform further attacks such as scanning internal networks or exploiting other vulnerabilities. Availability impact is rated none, indicating the vulnerability does not directly cause denial of service. No patches or mitigations are currently linked, and no known exploits have been observed in the wild as of the publication date. However, given the critical severity and the nature of SSRF, exploitation could lead to significant breaches if left unaddressed. The vulnerability was reserved on December 9, 2025, and published on December 24, 2025, by Patchstack. The lack of CWE classification suggests the vulnerability is straightforward SSRF without additional complex conditions.

For European organizations, the impact of CVE-2025-67623 can be severe, especially for those relying on 6Storage Rentals for cloud storage or rental management services. Successful exploitation could allow attackers to bypass perimeter defenses and access internal systems, potentially exposing sensitive customer data, intellectual property, or critical infrastructure information. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. The vulnerability’s ability to compromise confidentiality and integrity without requiring authentication or user interaction increases the risk profile significantly. Organizations in sectors such as finance, healthcare, and government, which often have stringent data protection requirements, are particularly vulnerable. Additionally, the SSRF could be leveraged as a pivot point for lateral movement within networks, escalating the scope of compromise. The absence of known exploits in the wild currently provides a window for proactive defense, but the critical CVSS score indicates that attackers are likely to develop exploits rapidly.

1. Immediate patching: Organizations should monitor 6Storage vendor communications closely and apply security patches as soon as they become available for versions up to 2.19.9. 2. Network segmentation: Restrict the vulnerable server’s ability to make outbound HTTP requests, especially to internal IP ranges and sensitive services, using firewall rules or network ACLs. 3. Input validation and filtering: Implement strict validation on any user-supplied URLs or parameters that the application uses to make server-side requests, blocking suspicious or internal IP addresses. 4. Web application firewall (WAF): Deploy and tune WAF rules to detect and block SSRF attack patterns targeting 6Storage Rentals. 5. Monitoring and alerting: Enable logging and real-time monitoring of outbound requests from the application server to detect anomalous or unauthorized connections. 6. Incident response readiness: Prepare for potential exploitation by having incident response plans and forensic capabilities in place. 7. Vendor engagement: Engage with 6Storage support to obtain timelines for patches and any recommended temporary mitigations. 8. Restrict metadata service access: If deployed in cloud environments, ensure that the server cannot access cloud metadata services unless explicitly required and secured.