CVE-2025-31064 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects the 'Vizeon - Business Consulting' product by Gavias, up to version 1.1.7. The flaw allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in include or require statements to load unintended files from the local filesystem. This can lead to arbitrary code execution, disclosure of sensitive information, or complete compromise of the affected web application and underlying server. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network without requiring privileges or user interaction, but with high attack complexity. The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to full system compromise. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient validation or sanitization of user-controlled input used in PHP include or require statements, enabling attackers to traverse directories or specify arbitrary local files to be included and executed by the PHP interpreter.

For European organizations using the Gavias Vizeon - Business Consulting product, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of sensitive business data, including client information, internal documents, and credentials. Attackers could execute arbitrary PHP code, potentially gaining full control over the web server and pivoting into internal networks. This could disrupt business operations, cause data breaches subject to GDPR penalties, and damage organizational reputation. Given the high severity and remote exploitability without authentication, attackers can target vulnerable installations at scale. The lack of known public exploits currently provides a small window for mitigation before active exploitation emerges. Organizations in sectors such as consulting, finance, and professional services that rely on this product are particularly at risk. Additionally, the potential for lateral movement and persistence within networks increases the threat to overall enterprise security.

European organizations should immediately audit their use of the Gavias Vizeon - Business Consulting product to identify affected versions (up to 1.1.7). Until an official patch is released, organizations should implement the following mitigations: 1) Restrict web server permissions to limit PHP process access to only necessary directories, preventing inclusion of sensitive files. 2) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious include/require parameter manipulations, such as directory traversal patterns. 3) Disable PHP functions that facilitate file inclusion if not required, such as 'allow_url_include' and 'allow_url_fopen'. 4) Conduct code reviews and apply input validation or sanitization on parameters used in include/require statements to enforce strict whitelisting of allowed files. 5) Monitor web server logs for anomalous requests targeting include parameters or unusual file access patterns. 6) Prepare to deploy patches promptly once available from Gavias. 7) Isolate vulnerable systems from critical internal networks to limit lateral movement in case of compromise. These targeted actions go beyond generic advice and focus on immediate risk reduction and detection.