CVE-2025-32595 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the gavias Krowd product, versions up to and including 1.4.1. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter in an include or require statement to execute arbitrary local files on the server. This can lead to unauthorized disclosure of sensitive files, code execution, and potentially full system compromise. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, though it has a high attack complexity, indicating some conditions must be met for successful exploitation. The CVSS v3.1 base score of 8.1 reflects the critical impact on confidentiality, integrity, and availability, as successful exploitation can lead to complete system control. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was reserved in April 2025 and published in June 2025, indicating recent discovery and disclosure. The root cause is insufficient validation or sanitization of user-supplied input used in PHP include/require statements, allowing attackers to traverse directories or specify unintended files. This type of vulnerability is particularly dangerous in PHP applications because it can lead to remote code execution if combined with other weaknesses or misconfigurations.

For European organizations using the gavias Krowd platform, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive data, including customer information, internal documents, or credentials stored on the server. The integrity of the application and underlying systems could be compromised, enabling attackers to modify or inject malicious code, disrupt services, or establish persistent backdoors. Availability could also be affected if attackers delete or corrupt critical files. Given the remote exploitability without authentication, attackers can target vulnerable installations en masse, potentially leading to widespread breaches. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face heightened legal and reputational risks. Furthermore, the lack of available patches means organizations must rely on immediate mitigation strategies to prevent exploitation. The high attack complexity may limit opportunistic attacks but does not eliminate the threat, especially from skilled adversaries.

1. Immediate mitigation should include restricting access to the vulnerable PHP scripts via network controls such as web application firewalls (WAFs) configured to detect and block suspicious include/require patterns or directory traversal attempts. 2. Employ input validation and sanitization at the application level to ensure that any filename parameters used in include/require statements are strictly controlled, allowing only predefined safe values or using whitelisting techniques. 3. Disable remote file inclusion and limit PHP's include_path configuration to trusted directories only. 4. Monitor logs for unusual access patterns or errors related to file inclusion attempts. 5. If possible, isolate the affected application in a segmented network zone to reduce potential lateral movement. 6. Engage with the vendor (gavias) for updates or patches and apply them promptly once available. 7. Conduct a thorough code review of the application to identify and remediate similar insecure coding practices. 8. Educate developers about secure coding standards related to file inclusion and input handling to prevent recurrence.