CVE-2025-27010 is a high-severity vulnerability classified under CWE-35 (Path Traversal) affecting the bslthemes Tastyc product, specifically versions prior to 2.5.2. The vulnerability arises from improper validation of file path inputs, allowing an attacker to exploit the '.../...//' sequence to perform PHP Local File Inclusion (LFI). This means that an attacker can manipulate file path parameters to traverse directories on the server and include arbitrary local files in the PHP execution context. Such an inclusion can lead to disclosure of sensitive information, execution of malicious code, and potentially full system compromise. The CVSS 3.1 base score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction needed, but with high attack complexity. The vulnerability is exploitable remotely without authentication, but requires a complex attack vector, likely due to the need to bypass input sanitization or specific path encoding. No known exploits are currently reported in the wild, and no official patches or mitigation links have been published yet. However, the vulnerability is publicly disclosed and should be treated with urgency given the potential for severe impact.

For European organizations using the bslthemes Tastyc product, this vulnerability poses a significant risk. The ability to perform local file inclusion remotely can lead to unauthorized access to configuration files, credentials, and other sensitive data stored on web servers. This can facilitate further attacks such as privilege escalation, webshell deployment, and lateral movement within the network. Given that Tastyc is a theme product likely used in web content management systems, organizations in sectors such as e-commerce, media, and public services could be targeted to disrupt services or steal data. The high severity and remote exploitability without authentication increase the risk of automated scanning and exploitation attempts. Additionally, the lack of patches means organizations must rely on immediate mitigation strategies to protect their infrastructure. The impact on confidentiality, integrity, and availability can be critical, potentially leading to data breaches, service outages, and reputational damage.

Since no official patches are currently available, European organizations should implement the following specific mitigations: 1) Immediately audit all instances of bslthemes Tastyc for vulnerable versions and isolate affected systems. 2) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal patterns, especially sequences like '.../...//' and other directory traversal payloads. 3) Restrict PHP file inclusion functions via configuration (e.g., disable allow_url_include, limit open_basedir to restrict accessible directories). 4) Conduct thorough input validation and sanitization on all user-supplied parameters related to file paths, employing whitelisting approaches. 5) Monitor web server logs for suspicious requests indicative of path traversal attempts. 6) Prepare for rapid patch deployment once the vendor releases an official fix. 7) Consider temporary removal or replacement of the Tastyc theme if feasible until patched. 8) Educate development and security teams about this vulnerability to enhance detection and response capabilities.