CVE-2025-10471
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in ZKEACMS 4.3. Impacted is the function Proxy of the file src/ZKEACMS/Controllers/MediaController.cs. Performing manipulation of the argument url results in server-side request forgery. It is possible to initiate the attack remotely. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zkea zkeacms 4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10471 is a server-side request forgery (SSRF) vulnerability in ZKEACMS version 4.3, specifically in the Proxy function of the MediaController.cs file. It occurs because the application improperly validates the 'url' argument, allowing an attacker to manipulate this input to make the server send unauthorized requests to arbitrary destinations. This can be exploited remotely by an attacker who has the ViewMedia permission, enabling them to access or enumerate internal network resources. [1, 2]

Impact Analysis

This vulnerability can impact you by compromising the confidentiality, integrity, and availability of your system. An attacker can remotely exploit it to make unauthorized requests from your server to arbitrary or internal network resources, potentially accessing sensitive internal services or data. This can lead to further attacks within your internal network and disrupt normal operations. [1, 2]

Detection Guidance

Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized requests made by the server to internal or external URLs, especially those triggered via the Proxy function in MediaController.cs. Since exploitation requires the 'ViewMedia' permission, reviewing access logs for users with this permission making unexpected URL requests can help. Specific commands are not provided in the resources, but general approaches include inspecting web server logs for requests containing the 'url' parameter in the Proxy function, and using network monitoring tools to detect outbound requests to unusual destinations initiated by the server. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting or reviewing user permissions to ensure only trusted users have the 'ViewMedia' permission, as exploitation requires this. Since no known countermeasures or mitigations have been identified, it is suggested to replace the affected component or upgrade to a version without this vulnerability if available. Additionally, monitoring and blocking suspicious outbound requests from the server can help reduce risk until a patch or fix is applied. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart