CVE-2023-25995 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the AI Mortgage Calculator product developed by choicehomemortgage, up to version 1.0.1. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter used in PHP's include or require functions to load unintended files from the local server. This can lead to arbitrary code execution, disclosure of sensitive information, or complete system compromise. The vulnerability arises because the application does not properly validate or sanitize user-supplied input that determines which files are included. Although the CVSS vector indicates that exploitation requires network access (AV:N), a high attack complexity (AC:H), and low privileges (PR:L) without user interaction (UI:N), successful exploitation can result in high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known public exploits have been reported yet, and no patches are currently available. The vulnerability was reserved in February 2023 and published in June 2025. Given the nature of the affected product—a mortgage calculator AI tool—this vulnerability could be leveraged to compromise web servers hosting the application, potentially exposing sensitive financial data or enabling attackers to pivot within the victim network.

For European organizations, especially financial institutions, mortgage brokers, and real estate companies using the choicehomemortgage AI Mortgage Calculator, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, including personal and financial information, which is subject to strict data protection regulations such as GDPR. A successful attack could result in data breaches, financial fraud, reputational damage, and regulatory penalties. Additionally, attackers could use the vulnerability to execute arbitrary code on affected servers, potentially disrupting services or using the compromised systems as a foothold for further attacks within the organization’s network. Given the high confidentiality, integrity, and availability impacts, organizations relying on this software must consider the risk of operational disruption and loss of customer trust.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the AI Mortgage Calculator application to trusted internal networks or VPNs to reduce exposure to external attackers. 2) Implementing Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities, such as suspicious URL parameters or directory traversal patterns. 3) Conducting thorough input validation and sanitization on all user-supplied parameters, especially those used in include/require statements, to prevent malicious file path injection. 4) Monitoring application logs for unusual file access patterns or errors indicative of attempted exploitation. 5) Isolating the application in a hardened environment with minimal privileges to limit the impact of potential compromise. 6) Planning for an urgent update or patch deployment once the vendor releases a fix. 7) Educating developers and administrators about secure coding practices related to file inclusion and PHP application security.