CVE-2025-36845

HIGH NUCLEI

Eveo Urve Web Manager - SSRF

Title source: rule

Description

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This can be used to request endpoints only reachable by the application server.

Nuclei Templates (1)

Eveo URVE Web Manager - Server-Side Request Forgery

HIGHVERIFIEDby DhiyaneshDk

Shodan: html:"URVE Web Manager"

References (2)

[Product] https://smartoffice.expert/en

[Exploit, Third Party Advisory] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt

Scores

CVSS v3 8.6

EPSS 0.0445

EPSS Percentile 89.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-918

Status published

Products (1)

eveo/urve_web_manager 27.02.2025

Published Jul 21, 2025

Tracked Since Feb 18, 2026