CVE-2025-24770 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the BZOTheme CraftXtore product, versions up to 1.7. The flaw allows for PHP Remote File Inclusion (RFI), enabling an attacker to include and execute arbitrary remote PHP code on the affected server. This occurs because the application does not properly validate or sanitize user-supplied input that determines the filename or URL to be included. As a result, an attacker can craft a malicious request that causes the server to fetch and execute code from an external source. The CVSS 3.1 base score of 8.1 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction, but high attack complexity. Exploitation can lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Although no known exploits are currently reported in the wild, the nature of RFI vulnerabilities makes them attractive targets for attackers. The vulnerability was publicly disclosed on June 9, 2025, and affects all versions of CraftXtore up to 1.7, with no patch links currently available, indicating that users must apply mitigations or await vendor fixes.

For European organizations using BZOTheme CraftXtore, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized remote code execution, resulting in data breaches, service disruption, and potential lateral movement within corporate networks. Given the high confidentiality and integrity impact, sensitive customer data, intellectual property, and internal systems could be compromised. The availability impact also means critical e-commerce or content management services powered by CraftXtore could be taken offline or manipulated, causing operational and reputational damage. European data protection regulations such as GDPR impose strict requirements on data security and breach notification, so exploitation could also lead to regulatory penalties and loss of customer trust. Organizations in sectors with high online presence, such as retail, media, and government services, are particularly vulnerable due to their reliance on web applications and potential attractiveness to attackers.

Immediate mitigation steps include disabling any functionality that allows dynamic inclusion of files based on user input. Organizations should implement strict input validation and sanitization to ensure only allowed, local file paths are processed. Employing a whitelist approach for included files can prevent arbitrary file inclusion. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting remote file inclusion patterns. Monitoring web server logs for unusual include or require requests can help identify exploitation attempts. Until an official patch is released, consider isolating affected systems and restricting outbound HTTP/HTTPS traffic to prevent fetching remote malicious code. Additionally, updating to newer versions of CraftXtore once available, or applying vendor-provided patches, is critical. Conducting a thorough security review of all PHP include/require usage in custom code is also recommended to prevent similar vulnerabilities.