OS Command Injection in Eveo URVE Web Manager
CVE-2025-36846

9.8CRITICAL

Key Information:

Vendor: Eveo
Status: URVE Web Manager
Vendor: CVE Published:; 21 July 2025

What is CVE-2025-36846?

The Eveo URVE Web Manager application features a critical vulnerability due to an exposed localhost endpoint (/internal/pc/vpro.php) that allows unauthenticated users to perform OS command injections. This vulnerability arises from the improper handling of input parameters, which are directly passed to the shell_exec() function in PHP. Attackers could exploit this weakness to execute arbitrary commands on the server, potentially leading to unauthorized access and control over the affected system. It is essential for users of URVE Web Manager to apply necessary security measures and updates to prevent exploitation of this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://smartoffice.expert/en/

https://www.syss.de/fileadmin/dokumente/Publikationen/Adv...

EPSS Score

60% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 21, 2025
Vulnerability Reserved
Apr 15, 2025

JSON

Eveo

What is CVE-2025-36846?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

EPSS Score

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.