CVE-2025-39475 is a high-severity path traversal vulnerability classified under CWE-35 affecting the Frenify Arlo product up to version 6.0.3. This vulnerability allows an attacker to perform PHP Local File Inclusion (LFI) by exploiting improper validation of file path inputs. Path traversal vulnerabilities occur when user-supplied input is not properly sanitized, enabling attackers to manipulate file paths and access files outside the intended directory. In this case, the flaw enables an unauthenticated remote attacker to include arbitrary files on the server through crafted requests, potentially leading to disclosure of sensitive information, code execution, or full system compromise. The CVSS v3.1 base score is 8.1, reflecting a network attack vector with high impact on confidentiality, integrity, and availability, no privileges or user interaction required, but with high attack complexity. Although no known exploits are currently reported in the wild, the vulnerability’s nature and severity suggest it could be leveraged for significant malicious activity if weaponized. The absence of available patches at the time of publication increases the urgency for mitigation. Frenify Arlo is a PHP-based product, and such LFI vulnerabilities are critical because they can allow attackers to read configuration files, source code, or even execute arbitrary PHP code if combined with other weaknesses. This vulnerability requires immediate attention from organizations using Frenify Arlo to prevent potential exploitation.

For European organizations using Frenify Arlo, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized disclosure of sensitive data, including credentials, configuration files, or personal data protected under GDPR. This could result in regulatory penalties, reputational damage, and operational disruption. The ability to execute arbitrary code or disrupt service availability could also lead to ransomware deployment or denial-of-service conditions, impacting business continuity. Given the high CVSS score and the lack of required authentication, attackers can remotely exploit this vulnerability without prior access, increasing the threat surface. Organizations in sectors such as finance, healthcare, government, and critical infrastructure—where Frenify Arlo might be deployed—are particularly at risk due to the sensitivity of their data and the potential impact of service disruption. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within networks, escalating the overall risk posture of affected entities.

Immediate mitigation steps include restricting external access to the Frenify Arlo application to trusted networks and implementing web application firewalls (WAFs) with rules designed to detect and block path traversal attempts. Organizations should conduct thorough input validation and sanitization on all user-supplied file path parameters within their deployments. Monitoring logs for suspicious file access patterns and anomalous requests can help detect exploitation attempts early. Until an official patch is released by Frenify, consider deploying virtual patching techniques via WAF or reverse proxies. Additionally, follow the principle of least privilege by ensuring the web server and application run with minimal permissions to limit the impact of a successful exploit. Regular backups and incident response plans should be updated to prepare for potential exploitation scenarios. Once a patch becomes available, prioritize its deployment after testing in a controlled environment. Finally, organizations should inventory all Frenify Arlo instances to ensure no deployments are overlooked.