CVE-2025-32155 identifies a Local File Inclusion (LFI) vulnerability in the Beds24 Online Booking system developed by markkinchin. The root cause is improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the input to include arbitrary files from the server. This vulnerability affects all versions up to and including 2.0.28. LFI vulnerabilities can be exploited to read sensitive files such as configuration files, password files, or application source code, and in some cases, combined with other vulnerabilities, can lead to remote code execution. The vulnerability arises because the application fails to properly validate or sanitize user-supplied input that determines which files are included. Although no public exploits have been reported, the flaw is critical in nature due to the potential for severe impact. The vulnerability does not have a CVSS score assigned yet. The vulnerability was published on April 4, 2025, and is tracked by Patchstack. The Beds24 Online Booking system is used primarily in the hospitality and tourism industry for managing reservations and bookings, making the confidentiality and availability of the system critical for business operations.

If exploited, this vulnerability could allow attackers to read arbitrary files on the server, potentially exposing sensitive information such as database credentials, configuration files, or user data. In some scenarios, attackers might escalate this to remote code execution by including malicious files or leveraging other vulnerabilities, leading to full system compromise. This could result in data breaches, service disruption, reputational damage, and financial losses for organizations relying on the Beds24 Online Booking system. Given the nature of the software, hospitality and travel businesses could face operational downtime, loss of customer trust, and regulatory penalties if customer data is exposed. The lack of public exploits currently reduces immediate risk, but the vulnerability remains a significant threat if weaponized. The scope includes all organizations using affected versions of Beds24 Online Booking worldwide.

1. Upgrade to the latest version of Beds24 Online Booking once a patch addressing this vulnerability is released by the vendor. 2. In the absence of an official patch, implement strict input validation and sanitization on all parameters used in include/require statements to restrict file paths to safe, predefined directories. 3. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, such as suspicious file path traversal patterns. 4. Restrict file permissions on the server to minimize the files accessible by the web application, preventing unauthorized file reads. 5. Conduct regular code reviews and security testing focused on input handling in PHP applications. 6. Monitor logs for unusual access patterns or errors related to file inclusion. 7. Isolate the booking system in a segmented network environment to limit lateral movement in case of compromise. 8. Educate developers and administrators about secure coding practices related to file inclusion.