CVE-2025-36845
HIGH NUCLEIEveo URVE Web Manager 27.02.2025 - Server-Side Request Forgery via /_internal/redirect.php
Title source: llmExploitation Summary
CVE-2025-36845 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This can be used to request endpoints only reachable by the application server.
Nuclei Templates (1)
Eveo URVE Web Manager - Server-Side Request Forgery
HIGHVERIFIEDby DhiyaneshDk
Shodan:
html:"URVE Web Manager"
References (2)
Core 2
Core References
Product
https://smartoffice.expert/en
Exploit, Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt
Scores
CVSS v3
8.6
EPSS
0.0580
EPSS Percentile
90.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
eveo/urve_web_manager
27.02.2025
Published
Jul 21, 2025
Tracked Since
Feb 18, 2026