CVE-2025-27445 is a path traversal vulnerability identified in the RSFirewall component versions 2.9.7 through 3.1.5 for the Joomla content management system. This vulnerability arises due to insufficient sanitization of user-supplied input in file path parameters, specifically allowing directory traversal sequences such as "../". Exploiting this flaw, an authenticated user can read arbitrary files outside the Joomla root directory, potentially exposing sensitive configuration files, credentials, or other critical data stored on the server. The vulnerability is classified under CWE-35 (Path Traversal), which typically involves improper validation of file paths, enabling attackers to access files and directories that should be restricted. The CVSS v3.1 base score is 5.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and impacts on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). No known exploits are currently reported in the wild. The flaw affects a widely used Joomla security extension, RSFirewall, which is designed to protect Joomla sites from various attacks. Since the vulnerability requires authentication, exploitation is limited to users with some level of access, but given the popularity of Joomla and RSFirewall, this poses a significant risk if attackers can compromise or register accounts with sufficient privileges. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for administrators to monitor updates and apply patches when released.

For European organizations using Joomla with the RSFirewall component, this vulnerability could lead to unauthorized disclosure of sensitive files such as configuration files, database credentials, or private keys, potentially facilitating further attacks like privilege escalation or data breaches. Since Joomla is popular among small to medium enterprises, government portals, and non-profits across Europe, the exposure could affect a broad range of sectors including public administration, education, and e-commerce. The requirement for authentication limits the attack surface but does not eliminate risk, especially if user accounts are compromised through phishing or weak credentials. The ability to read arbitrary files undermines confidentiality and integrity, potentially leading to data leakage and manipulation. This could result in regulatory non-compliance under GDPR if personal data is exposed, leading to legal and financial repercussions. Additionally, attackers could leverage the information gained to conduct more sophisticated attacks, increasing the overall threat to organizational security posture.

European organizations should immediately audit their Joomla installations to identify if RSFirewall versions 2.9.7 through 3.1.5 are in use. Until an official patch is released, administrators should restrict access to authenticated users by enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Implement strict user role management to limit the number of users with privileges sufficient to exploit this vulnerability. Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns in HTTP requests targeting RSFirewall endpoints. Regularly monitor logs for suspicious file access attempts or unusual user behavior. Organizations should subscribe to vendor advisories and Joomla security bulletins to apply patches promptly once available. Additionally, consider isolating Joomla instances in segmented network zones to limit lateral movement if an attacker gains access. Conduct security awareness training focused on credential security to prevent account takeover. Finally, perform regular backups and ensure they are securely stored to mitigate potential data loss from exploitation.