Eveo URVE Web Manager OS Command Injection Vulnerability

A command injection vulnerability has been identified in Eveo URVE Web Manager version 27.02.2025. The issue arises from an endpoint exposed to unauthenticated users, which allows for operating system command injection via the shell_exec() function in PHP. This vulnerability can be exploited by sending crafted requests that include malicious commands, potentially leading to unauthorized execution of commands on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server where URVE Web Manager is running.

Reproduction

The vulnerability can be reproduced by sending a request to the /_internal/pc/vpro.php endpoint. This endpoint is initially restricted to localhost requests. However, this restriction can be bypassed using another exposed endpoint, /_internal/redirect.php, which allows for server-side request forgery (SSRF) to redirect the request to the vulnerable endpoint. Once the request is redirected, the vpro.php endpoint can be accessed and exploited by injecting commands through the input parameters.

Remediation

Users are advised to update to the latest version of URVE Web Manager and block all endpoints under /_internal/ from external requests.