CVE-2025-8772 is a Server-Side Request Forgery (SSRF) vulnerability identified in Vinades NukeViet version 4.5.06 and earlier. The vulnerability exists in the Module Handler component, specifically in the processing of the /admin/index.php endpoint with parameters language=en and nv=upload. SSRF vulnerabilities allow an attacker to induce the server to make HTTP requests to arbitrary domains or internal resources that the attacker would not normally have access to. In this case, the vulnerability can be triggered remotely without authentication or user interaction, as indicated by the CVSS vector. The vulnerability's exploitation could allow attackers to access internal systems, bypass firewalls, or interact with internal services that are otherwise inaccessible externally. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, no privileges, no user interaction, and results in low confidentiality impact but no integrity or availability impact. The vendor, Vinades, was contacted but did not respond, and no patches or mitigations have been publicly released. Although no known exploits are currently observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation attempts. SSRF vulnerabilities are often leveraged as a stepping stone for further attacks such as internal network reconnaissance, data exfiltration, or pivoting to more critical systems. Given the nature of the vulnerable endpoint (/admin/index.php), there is a risk that administrative interfaces might be indirectly exposed or abused, increasing the attack surface.

For European organizations using Vinades NukeViet 4.5.06 or earlier, this SSRF vulnerability poses a significant risk to internal network security. Exploitation could allow attackers to access internal services behind firewalls, potentially exposing sensitive data or enabling lateral movement within the network. Organizations with NukeViet installations that manage critical or sensitive data could face confidentiality breaches. The lack of vendor response and absence of patches means organizations must rely on alternative mitigations, increasing operational risk. Public sector entities, educational institutions, and SMEs using this CMS in Europe could be targeted, especially if their NukeViet installations are internet-facing and not properly segmented. Although the vulnerability does not directly impact integrity or availability, the SSRF could be used as a foothold for further attacks, potentially leading to privilege escalation or data compromise. The medium severity rating suggests a moderate but non-negligible threat, especially given the ease of remote exploitation without authentication.

European organizations should immediately audit their NukeViet installations to identify affected versions (4.5.06 and earlier). Since no official patch is available, organizations should implement the following mitigations: 1) Restrict access to the /admin/index.php endpoint via network controls such as IP whitelisting or VPN-only access to administrative interfaces. 2) Employ web application firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting the nv=upload parameter. 3) Implement strict outbound network egress filtering on servers hosting NukeViet to prevent unauthorized internal or external HTTP requests initiated by the application. 4) Monitor logs for unusual outbound requests or access patterns to the vulnerable endpoint. 5) Consider temporarily disabling or restricting the Module Handler component if feasible until a patch is released. 6) Engage with Vinades or community forums for updates or unofficial patches. 7) Conduct internal penetration testing focused on SSRF vectors to assess exposure. These measures go beyond generic advice by focusing on network-level controls and monitoring tailored to the specific vulnerability vector.