CVE-2025-49508 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects the LoftOcean CozyStay product, a PHP-based application. The flaw allows for PHP Local File Inclusion (LFI), meaning an attacker can manipulate the filename parameter used in include or require statements to load unintended local files on the server. This can lead to disclosure of sensitive information, execution of arbitrary code, or full system compromise depending on the server configuration and the files accessible. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network. The CVSS 3.1 base score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, and no privileges or user interaction needed. Although no known exploits are currently reported in the wild, the nature of LFI vulnerabilities makes them attractive targets for attackers, especially if combined with other vulnerabilities such as remote code execution or file upload flaws. The affected versions are not explicitly stated, which suggests the vulnerability may be present in all current versions of CozyStay until patched. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations using LoftOcean CozyStay, this vulnerability poses a significant risk. CozyStay is likely used in hospitality or property management sectors, which handle sensitive customer data including personal identification and payment information. Exploitation could lead to unauthorized access to internal files such as configuration files, credentials, or logs, resulting in data breaches and regulatory non-compliance under GDPR. Additionally, attackers could leverage this vulnerability to execute arbitrary code, potentially disrupting service availability or pivoting to other internal systems. The impact is heightened for organizations with internet-facing CozyStay deployments, as the vulnerability can be exploited remotely without authentication. This could lead to reputational damage, financial losses, and legal consequences. Given the hospitality sector's importance in Europe’s economy and the sensitivity of customer data, the threat is particularly critical. Furthermore, CozyStay installations integrated with other enterprise systems could serve as entry points for broader network compromise.

1. Immediate mitigation should include restricting access to the CozyStay application to trusted networks via firewalls or VPNs to reduce exposure. 2. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations indicative of LFI attempts. 3. Conduct thorough code reviews to identify and sanitize all user-controllable inputs used in include or require statements, employing whitelisting of allowed filenames rather than blacklisting. 4. Use PHP configuration directives such as 'open_basedir' to limit file system access to necessary directories only. 5. Monitor server logs for unusual file access patterns or error messages related to include/require functions. 6. Engage with LoftOcean for patches or updates addressing this vulnerability and apply them promptly once available. 7. As a longer-term measure, consider isolating CozyStay instances in segmented network zones to limit lateral movement in case of compromise. 8. Educate development and operations teams on secure coding practices to prevent similar vulnerabilities.