CVE-2025-36846
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on servers running Eveo URVE Web Manager 27.02.2025. The application exposes a vulnerable endpoint that passes user input directly to PHP's shell_exec() function without proper sanitization. This affects all deployments of the vulnerable version.
💻 Affected Systems
- Eveo URVE Web Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, exfiltrate sensitive data, pivot to internal networks, or deploy ransomware across the entire infrastructure.
Likely Case
Attackers gain remote code execution to steal credentials, deploy backdoors, or use the system as a foothold for lateral movement within the network.
If Mitigated
If properly segmented and monitored, impact could be limited to the specific application server with potential data loss from that system.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with command injection payloads. Public proof-of-concept available in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://smartoffice.expert/en/
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. Apply any available patches. 3. Verify the /_internal/pc/vpro.php endpoint is no longer accessible or properly secured.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allUse web server configuration to block access to the vulnerable endpoint
# Apache: RewriteRule ^/_internal/pc/vpro\.php$ - [F,L]
# Nginx: location ~ ^/_internal/pc/vpro\.php$ { return 403; }
Network Access Control
linuxRestrict access to the application to trusted IP addresses only
# iptables example: iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
# iptables example: iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and critical internal networks
- Implement strict network segmentation and monitor all traffic to/from affected systems
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://target/_internal/pc/vpro.php?param=test and check for response indicating command execution capabilityCheck Version:
Check application version in web interface or configuration filesVerify Fix Applied:
Attempt to access the vulnerable endpoint and verify it returns 403/404 or proper authentication is required📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /_internal/pc/vpro.php
- Commands like whoami, id, ls, cat, wget, curl in URL parameters
- Multiple failed authentication attempts followed by successful access to internal endpoints
Network Indicators:
- HTTP requests containing shell metacharacters (;, |, &, $, `) in parameters
- Outbound connections from web server to unusual external IPs
- Traffic patterns suggesting reverse shell establishment
SIEM Query:
source="web_logs" AND (uri="/_internal/pc/vpro.php" OR (uri CONTAINS "vpro.php" AND (param CONTAINS ";" OR param CONTAINS "|" OR param CONTAINS "$" OR param CONTAINS "`")))