A critical vulnerability has been identified in Eveo URVE Web Manager, assigned CVE-2025-36846 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to execute arbitrary commands on the underlying server, potentially leading to a complete system compromise. Successful exploitation could result in data theft, service disruption, or the deployment of ransomware, posing a severe risk to the organization.

The Eveo URVE Web Manager application exposes an internal endpoint, /_internal/pc/vpro.php, without requiring authentication. This endpoint is vulnerable to OS Command Injection, allowing an attacker to inject and execute arbitrary commands with the privileges of the web server's user account. Although the endpoint is intended for localhost access, misconfigurations or chaining this vulnerability with a Server-Side Request Forgery (SSRF) flaw could allow for remote exploitation. An attacker would craft a malicious request to this endpoint containing operating system commands, which the application would then execute on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker full control over the affected server, fundamentally compromising its confidentiality, integrity, and availability. Potential consequences include unauthorized access to and exfiltration of sensitive data, deployment of malware such as ransomware or crypto-miners, complete disruption of services managed by the application, and using the compromised server as a pivot point to launch further attacks against the internal network. The financial and reputational damage from such an incident could be substantial.

Immediate Action: Immediately apply the security updates provided by Eveo to patch Eveo URVE Web Manager to the latest version, as this is the primary method to resolve the vulnerability. After patching, monitor for any signs of post-exploitation activity and thoroughly review web server and application access logs for any suspicious requests targeting the /_internal/pc/vpro.php endpoint prior to the patch.

Proactive Monitoring: Implement continuous monitoring of web server logs for any access attempts to the /_internal/pc/vpro.php URI. Monitor systems for anomalous behavior, such as unexpected outbound network connections, new processes being spawned by the web server user (e.g., sh, bash, powershell), or unusual CPU and memory utilization that could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Use a Web Application Firewall (WAF) or reverse proxy to create a rule that explicitly denies all access to the /_internal/pc/vpro.php path.
• Strictly enforce network segmentation and firewall rules to ensure the server hosting the application cannot be reached from untrusted networks.
• Ensure no other vulnerabilities, such as SSRF, exist on the server that could be used by an attacker to make internal requests to the vulnerable localhost endpoint.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend treating its remediation as the highest priority. Organizations must immediately apply the vendor-supplied patches to all affected systems. Although this CVE is not currently listed on the CISA KEV list, its critical nature warrants an emergency-level response. If patching is delayed for any reason, the compensating controls outlined above must be implemented without delay to reduce the attack surface.