CVE-2025-32294 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the gavias Oxpitan product up to version 1.3.1. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter used in include or require statements without proper validation or sanitization. This can lead to the inclusion and execution of arbitrary local files on the server, potentially exposing sensitive information, executing malicious code, or causing denial of service. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), but has high attack complexity (AC:H), meaning exploitation requires specific conditions or knowledge. The vulnerability scope is unchanged (S:U), but successful exploitation can lead to full compromise of the affected system. No known exploits in the wild have been reported yet, and no patches have been linked, suggesting that mitigation may require vendor updates or manual code review and hardening. The vulnerability arises from insufficient input validation in PHP include/require statements, a common issue that can be exploited to include unintended files, such as configuration files or logs, or to execute arbitrary PHP code if an attacker can control file contents or paths. Given the nature of the vulnerability, it is critical for affected installations to assess exposure and apply mitigations promptly.

For European organizations using gavias Oxpitan, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive data, including configuration files, credentials, or customer information, violating GDPR and other data protection regulations. Integrity of systems could be compromised by executing arbitrary code, potentially allowing attackers to establish persistent access, pivot within networks, or disrupt services. Availability could also be impacted if attackers cause application crashes or denial of service. Given that the vulnerability requires no authentication or user interaction, remote attackers can exploit it directly over the network, increasing the risk of widespread attacks. Organizations in sectors such as e-commerce, healthcare, finance, or government using Oxpitan are particularly at risk due to the sensitivity of their data and regulatory requirements. The lack of patches or known exploits suggests a window of exposure until fixes are available, emphasizing the need for proactive mitigation.

1. Immediate code review and hardening: Audit all include and require statements in the Oxpitan codebase to ensure filenames are strictly validated against a whitelist of allowed files or paths. 2. Disable dynamic inclusion where possible: Replace dynamic include/require calls with static includes or controlled logic to prevent arbitrary file inclusion. 3. Implement input sanitization: Use PHP functions such as basename() and realpath() to sanitize and resolve file paths, preventing directory traversal or injection. 4. Restrict file permissions: Ensure the web server user has minimal permissions, preventing access to sensitive files outside the intended directories. 5. Web application firewall (WAF): Deploy or update WAF rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. 6. Monitor logs: Enable detailed logging and monitor for unusual access patterns or errors related to file inclusion attempts. 7. Vendor engagement: Contact gavias for official patches or updates and apply them promptly once available. 8. Network segmentation: Isolate critical systems running Oxpitan to limit lateral movement in case of compromise. 9. Backup and recovery: Maintain secure backups to restore systems in case of successful exploitation.