CVE-2025-0632 is a critical Local File Inclusion (LFI) vulnerability affecting Formulatrix Rock Maker Web (RMW) version 3.2.1.1 and later. The vulnerability arises from improper control of filenames in the Render function, classified under CWE-98 (Improper Control of Filename for Include) and CWE-22 (Path Traversal). This flaw allows a remote, unauthenticated attacker to execute arbitrary code by including local files on the server. Exploitation enables the attacker to download sensitive configuration files, including credentials, from known filesystem locations. The absence of rate limiting further exacerbates the risk by permitting attackers to enumerate the entire filesystem, potentially escalating to full host compromise. The CVSS 4.0 base score of 9.2 reflects the high severity, with attack vector being network-based, no required privileges or user interaction, and a significant impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime target for exploitation once weaponized. The vulnerability affects the Rock Maker Web product starting from version 3.2.1.1, which is used primarily in laboratory automation and scientific research environments to control and monitor laboratory instruments remotely via web interfaces. The technical root cause is insufficient sanitization and validation of user-supplied input used in file inclusion operations, allowing path traversal and arbitrary file access on the host system. This can lead to remote code execution, data exfiltration, and potentially full system compromise.

European organizations using Formulatrix Rock Maker Web, particularly in scientific research, pharmaceutical, and biotechnology sectors, face significant risks. The vulnerability could lead to unauthorized disclosure of sensitive research data, intellectual property, and credentials, undermining confidentiality. Integrity of laboratory automation processes could be compromised, leading to manipulated experimental results or disrupted workflows. Availability may also be affected if attackers execute malicious code that disables or degrades system functionality. Given the criticality of research data and regulatory compliance requirements in Europe (e.g., GDPR for data protection), exploitation could result in severe financial, reputational, and legal consequences. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of successful exploitation. Additionally, the ability to enumerate the filesystem and potentially gain full host control elevates the threat to critical infrastructure supporting scientific innovation and healthcare research. Organizations relying on RMW for automation and data acquisition are at risk of operational disruption and data breaches.

1. Immediate application of vendor patches or updates once available is paramount. Since no patch links are currently provided, organizations should engage with Formulatrix support for interim fixes or workarounds. 2. Implement strict network segmentation and firewall rules to restrict access to the Rock Maker Web interface only to trusted internal networks and authorized personnel. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block path traversal and suspicious file inclusion attempts targeting the Render function. 4. Monitor logs for unusual file access patterns or repeated requests indicative of filesystem enumeration attempts. 5. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect LFI exploitation techniques. 6. Harden server configurations by disabling unnecessary file inclusion features or restricting file system permissions to limit accessible directories. 7. Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including LFI and path traversal. 8. Educate system administrators and users about the risks and signs of exploitation to enable rapid incident response. 9. Consider deploying application-layer authentication and rate limiting as compensating controls until patches are applied to reduce attack surface.