CVE-2025-36846
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-09-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eveo | urve_web_manager | 27.02.2025 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36846 is a high-risk OS Command Injection vulnerability in the Eveo URVE Web Manager 27.02.2025. The application exposes a localhost-only endpoint /_internal/pc/vpro.php that takes input parameters directly passed to PHP's shell_exec() function without proper sanitization, allowing attackers to execute arbitrary OS commands. Although this endpoint is restricted to localhost, this restriction can be bypassed by chaining it with another unauthenticated SSRF-vulnerable endpoint /_internal/redirect.php, enabling remote attackers to execute commands without authentication. [1]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the server hosting the URVE Web Manager. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential use of the server as a foothold for further attacks within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can be performed by monitoring for unusual HTTP requests targeting the endpoints /_internal/pc/vpro.php and /_internal/redirect.php, especially GET requests with URL parameters that attempt to inject commands. A proof of concept involves sending a crafted GET request to /_internal/redirect.php with a URL parameter targeting vpro.php on localhost. Network administrators can use tools like curl or wget to simulate such requests and check for unexpected command execution responses. For example, a command to test might be: curl "http://<target>/_internal/redirect.php?url=http://localhost/_internal/pc/vpro.php?cmd=whoami". Additionally, monitoring logs for requests to these endpoints and any outbound HTTP requests that could exfiltrate data is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include blocking all external access to any endpoints under the /_internal/ path to prevent unauthenticated access. Additionally, updating the Eveo URVE Web Manager to the latest fixed version 27.02.2025, which patches this vulnerability, is strongly recommended. [1]