Low

SSRF in Apryse WebViewer server-side iFrame rendering

IdentifiersCVE-2025-70400CWE-918

CVE-2025-70400 is described as a high-severity server-side request forgery (SSRF) vulnerability in Apryse WebViewer’s server-side iFrame rendering component. The issue allows attacker-controlled content/URLs to be fetched and rendered by the server-side rendering functionality, indicating insufficient validation of untrusted, remotely supplied rendering inputs crossing a trust boundary between the client-controlled configuration/content and the server-side renderer.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to induce the WebViewer server-side rendering service to make outbound requests to attacker-chosen targets. This can expose internal network reachability and enable access to internal-only resources and metadata (e.g., cloud instance metadata services), potentially facilitating further compromise depending on what internal endpoints are reachable and how responses are handled/rendered.

Mitigation

If you can’t patch tonight, do this now.

Until patched, restrict the server-side rendering component’s egress (network-level allowlist) to only required destinations; block access to RFC1918/ULA ranges and cloud metadata IPs (e.g., 169.254.169.254) from the rendering service; and isolate the rendering service in a segmented network with minimal privileges to reduce SSRF blast radius.

Remediation

Patch, then assume compromise.

Apply Apryse-provided patches/updates that address CVE-2025-70400 in the server-side iFrame rendering component. Ensure the server-side renderer enforces strict allowlisting/denylisting and URL validation for any remotely supplied resources it fetches as part of rendering, per vendor guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

hackreadNews

Feb 23, 2026

Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks

A flaw in Apryse WebViewer where remote configuration files are improperly trusted, enabling malicious code execution via a crafted link (one-click style attack).

cyber security newsNews

Feb 18, 2026

16 Zero-Day Vulnerabilities in Popular PDF Platforms Enable Code Execution and Data Exfiltration

A high-severity server-side request forgery in Apryse WebViewer’s server-side iFrame rendering component that can be abused to make the server fetch/render attacker-controlled content, potentially exposing internal network resources and metadata.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity