CVE-2025-52805 is a high-severity security vulnerability classified under CWE-35 (Path Traversal) affecting VaultDweller's Leyka product up to version 3.31.9. The vulnerability allows an attacker to perform a PHP Local File Inclusion (LFI) attack via path traversal techniques. Path traversal vulnerabilities occur when user-supplied input is not properly sanitized, enabling attackers to manipulate file paths and access files outside the intended directory scope. In this case, the flaw allows remote attackers to include and execute arbitrary PHP files on the server by crafting malicious requests that traverse directories. The CVSS 3.1 base score is 7.5, indicating a high impact with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), and requiring user interaction (UI:R). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). This means successful exploitation can lead to full system compromise, including disclosure of sensitive data, modification of files, and potential denial of service. No patches or exploits in the wild are currently reported, but the vulnerability is publicly disclosed as of July 4, 2025. The lack of available patches increases the urgency for mitigation. The vulnerability affects all versions of Leyka up to 3.31.9, with no specific version range provided beyond that. Given the nature of PHP LFI, attackers may chain this vulnerability with other exploits to escalate privileges or move laterally within networks.

For European organizations, this vulnerability poses a significant risk, especially for those using Leyka in their web infrastructure or internal applications. The ability to include arbitrary PHP files remotely can lead to data breaches involving personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Critical systems relying on Leyka could be compromised, affecting business continuity and service availability. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate sensitive information, alter application behavior, or cause denial of service. Given the high attack complexity and requirement for user interaction, targeted phishing or social engineering campaigns may be used to exploit this vulnerability. Organizations in sectors such as finance, healthcare, and government, which often use PHP-based web applications and handle sensitive data, are particularly at risk. The absence of known exploits in the wild provides a window for proactive defense, but the public disclosure increases the likelihood of future exploitation attempts.

European organizations should immediately conduct an inventory to identify any deployments of VaultDweller Leyka, particularly versions up to 3.31.9. Until a patch is available, implement strict input validation and sanitization on all user inputs that interact with file paths to prevent path traversal. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal patterns and PHP file inclusion attempts. Restrict file system permissions for the web server user to the minimum necessary, preventing access to sensitive directories and files. Monitor logs for unusual file access patterns or errors indicative of LFI attempts. Educate users about the risks of interacting with suspicious links or attachments to reduce the likelihood of user interaction-based exploitation. Plan for rapid deployment of official patches once released by VaultDweller. Additionally, consider isolating Leyka instances in segmented network zones to limit lateral movement if compromised.