CVE-2025-30582 identifies a path traversal vulnerability in the aytechnet DyaPress ERP/CRM product, specifically affecting versions up to and including 18.0.2.0. The vulnerability arises from improper limitation of pathnames to restricted directories, allowing an attacker to manipulate file path inputs to include arbitrary files on the server. This leads to PHP Local File Inclusion (LFI), where malicious actors can cause the application to load and execute local files that should be inaccessible. Such exploitation can result in disclosure of sensitive configuration files, source code, or even remote code execution if combined with other vulnerabilities or crafted payloads. The flaw is rooted in insufficient input validation and directory access controls within the application’s file handling mechanisms. Although no public exploits have been reported yet, the nature of LFI vulnerabilities makes them attractive targets for attackers seeking to escalate privileges or move laterally within compromised environments. The vulnerability was reserved in March 2025 and published in April 2025, with no CVSS score assigned at the time. The affected product is an ERP/CRM system, which typically manages critical business processes and sensitive data, increasing the potential impact of exploitation.

The exploitation of this path traversal vulnerability can have severe consequences for organizations using DyaPress ERP/CRM. Attackers could gain unauthorized access to sensitive files such as configuration files containing database credentials, user data, or internal application logic. This could lead to data breaches, intellectual property theft, or disruption of business operations. In some cases, attackers might leverage the LFI to execute arbitrary code on the server, resulting in full system compromise. The impact extends to confidentiality, integrity, and availability of critical business data and services. Organizations relying on DyaPress ERP/CRM for managing customer relations, financial data, or supply chains could face operational disruptions, reputational damage, and regulatory penalties. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation typical for path traversal vulnerabilities means the threat is significant once exploit code becomes available.

Organizations should immediately assess their use of DyaPress ERP/CRM and identify affected versions. Since no official patches are currently linked, interim mitigations include implementing strict input validation and sanitization on all user-supplied file path parameters to prevent directory traversal sequences (e.g., ../). Employ web application firewalls (WAFs) with rules targeting path traversal patterns to block malicious requests. Restrict file system permissions so that the web server process has minimal access rights, limiting the impact of any file inclusion attempts. Monitor logs for unusual file access patterns or errors indicative of LFI attempts. Once vendor patches or updates become available, prioritize their deployment. Additionally, conduct security audits and penetration testing focused on file inclusion and path traversal vulnerabilities. Educate development teams on secure coding practices to prevent similar issues in future releases.