CVE-2025-28990: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in snstheme SNS Vicky
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion. This issue affects SNS Vicky: from n/a through 3.7.
AI Analysis
Technical Summary
CVE-2025-28990 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the SNS Vicky theme developed by snstheme, versions up to 3.7. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is included or required by the PHP application. This can lead to the inclusion and execution of arbitrary files on the server, potentially exposing sensitive information, executing malicious code, or causing denial of service. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity, meaning some conditions must be met for successful exploitation. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the nature of PHP file inclusion flaws, which are commonly leveraged for web server compromise and lateral movement within networks. The absence of available patches at the time of publication increases the urgency for mitigation.
Potential Impact
For European organizations using the SNS Vicky theme, particularly those running websites or web applications on PHP platforms, this vulnerability could lead to severe consequences. Successful exploitation could result in unauthorized disclosure of sensitive data, including configuration files, credentials, or customer information, violating GDPR and other data protection regulations. Integrity of web content and backend systems could be compromised, enabling attackers to inject malicious scripts or backdoors, facilitating persistent access or further attacks. Availability could also be impacted if attackers leverage the vulnerability to disrupt services or crash the web server. Given the high connectivity and reliance on web services in European businesses, especially in sectors like e-commerce, finance, and public administration, the threat could cause reputational damage, regulatory penalties, and financial losses. The vulnerability's remote exploitability without authentication increases the risk of automated scanning and exploitation attempts by threat actors targeting European infrastructure.
Mitigation Recommendations
Organizations should immediately audit their web applications to identify any use of the SNS Vicky theme, particularly versions up to 3.7. If detected, they should consider disabling or removing the theme until a vendor patch or update is released. In the absence of official patches, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests attempting to manipulate include parameters is recommended. Developers should review and harden PHP code by validating and sanitizing all user inputs used in include or require statements, employing whitelisting of allowed filenames, and avoiding dynamic inclusion of files based on user input. Implementing least privilege principles on the web server file system can limit the impact by restricting accessible files. Monitoring web server logs for unusual access patterns or error messages related to file inclusion attempts can help detect exploitation attempts early. Additionally, organizations should keep abreast of vendor advisories for official patches and apply them promptly once available.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2025-28990: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in snstheme SNS Vicky
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion. This issue affects SNS Vicky: from n/a through 3.7.
AI-Powered Analysis
Technical Analysis
CVE-2025-28990 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the SNS Vicky theme developed by snstheme, versions up to 3.7. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is included or required by the PHP application. This can lead to the inclusion and execution of arbitrary files on the server, potentially exposing sensitive information, executing malicious code, or causing denial of service. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity, meaning some conditions must be met for successful exploitation. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the nature of PHP file inclusion flaws, which are commonly leveraged for web server compromise and lateral movement within networks. The absence of available patches at the time of publication increases the urgency for mitigation.
Potential Impact
For European organizations using the SNS Vicky theme, particularly those running websites or web applications on PHP platforms, this vulnerability could lead to severe consequences. Successful exploitation could result in unauthorized disclosure of sensitive data, including configuration files, credentials, or customer information, violating GDPR and other data protection regulations. Integrity of web content and backend systems could be compromised, enabling attackers to inject malicious scripts or backdoors, facilitating persistent access or further attacks. Availability could also be impacted if attackers leverage the vulnerability to disrupt services or crash the web server. Given the high connectivity and reliance on web services in European businesses, especially in sectors like e-commerce, finance, and public administration, the threat could cause reputational damage, regulatory penalties, and financial losses. The vulnerability's remote exploitability without authentication increases the risk of automated scanning and exploitation attempts by threat actors targeting European infrastructure.
Mitigation Recommendations
Organizations should immediately audit their web applications to identify any use of the SNS Vicky theme, particularly versions up to 3.7. If detected, they should consider disabling or removing the theme until a vendor patch or update is released. In the absence of official patches, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests attempting to manipulate include parameters is recommended. Developers should review and harden PHP code by validating and sanitizing all user inputs used in include or require statements, employing whitelisting of allowed filenames, and avoiding dynamic inclusion of files based on user input. Implementing least privilege principles on the web server file system can limit the impact by restricting accessible files. Monitoring web server logs for unusual access patterns or error messages related to file inclusion attempts can help detect exploitation attempts early. Additionally, organizations should keep abreast of vendor advisories for official patches and apply them promptly once available.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-03-11T08:10:44.966Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685e88edca1063fb875de4a0
Added to database: 6/27/2025, 12:05:01 PM
Last enriched: 6/27/2025, 12:45:56 PM
Last updated: 8/13/2025, 7:57:14 AM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.