CVE-2025-52808: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in real-web RealtyElite
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in real-web RealtyElite allows PHP Local File Inclusion. This issue affects RealtyElite: from n/a through 1.0.0.
AI Analysis
Technical Summary
CVE-2025-52808 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in PHP include or require statements. This vulnerability affects the real-web product RealtyElite, specifically versions up to 1.0.0. The issue allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in include or require statements to load unintended files from the local filesystem. Although the description mentions 'PHP Remote File Inclusion' in the title, the detailed description clarifies that the vulnerability enables local file inclusion, not remote. This can lead to arbitrary code execution, disclosure of sensitive information, and full compromise of the affected web application and potentially the underlying server. The CVSS v3.1 score is 8.1, indicating a high severity with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack is network exploitable but requires high attack complexity, no privileges, and no user interaction. The impact on confidentiality, integrity, and availability is high, as successful exploitation can allow attackers to read sensitive files, execute arbitrary code, and disrupt service. No patches are currently linked, and no known exploits are reported in the wild as of the publication date (June 27, 2025). The vulnerability arises from insufficient validation or sanitization of user-supplied input used in include/require statements, a common PHP security pitfall. Attackers can leverage this to include system files such as /etc/passwd or application source code, or potentially escalate to remote code execution if combined with other vulnerabilities or misconfigurations.
Potential Impact
For European organizations using RealtyElite, this vulnerability poses a significant risk. RealtyElite is a real estate web application, likely used by agencies, property managers, and real estate platforms. Exploitation could lead to unauthorized access to customer data, including personal and financial information, violating GDPR and other data protection regulations. The high confidentiality impact could result in data breaches, leading to regulatory fines and reputational damage. Integrity and availability impacts mean attackers could alter listings, manipulate pricing, or disrupt service availability, affecting business operations and customer trust. Since the vulnerability is exploitable remotely over the network without authentication, attackers can target exposed RealtyElite installations directly. The lack of known exploits in the wild suggests the window for proactive mitigation is still open, but the high severity score demands urgent attention. European organizations with public-facing RealtyElite deployments are at risk of targeted attacks, especially those in competitive real estate markets or handling sensitive client data.
Mitigation Recommendations
1. Immediate mitigation should include restricting access to the vulnerable include/require functionality by applying web application firewall (WAF) rules that detect and block suspicious include parameters or directory traversal patterns. 2. Implement strict input validation and sanitization on all user-controlled inputs used in file inclusion statements, ensuring only whitelisted filenames or paths are accepted. 3. Disable allow_url_include and other risky PHP configuration directives to prevent remote file inclusion vectors. 4. If possible, isolate the RealtyElite application in a segmented network zone with minimal privileges to limit the impact of a successful exploit. 5. Monitor logs for unusual file access patterns or errors related to include/require statements. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability; if none are available, consider temporary workarounds such as code review and manual patching of the vulnerable code. 7. Conduct a thorough security audit of the application and underlying infrastructure to identify and remediate any additional weaknesses. 8. Educate development and operations teams about secure coding practices related to file inclusion in PHP.
Affected Countries
Germany, France, United Kingdom, Netherlands, Spain, Italy
CVE-2025-52808: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in real-web RealtyElite
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in real-web RealtyElite allows PHP Local File Inclusion. This issue affects RealtyElite: from n/a through 1.0.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-52808 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in PHP include or require statements. This vulnerability affects the real-web product RealtyElite, specifically versions up to 1.0.0. The issue allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in include or require statements to load unintended files from the local filesystem. Although the description mentions 'PHP Remote File Inclusion' in the title, the detailed description clarifies that the vulnerability enables local file inclusion, not remote. This can lead to arbitrary code execution, disclosure of sensitive information, and full compromise of the affected web application and potentially the underlying server. The CVSS v3.1 score is 8.1, indicating a high severity with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack is network exploitable but requires high attack complexity, no privileges, and no user interaction. The impact on confidentiality, integrity, and availability is high, as successful exploitation can allow attackers to read sensitive files, execute arbitrary code, and disrupt service. No patches are currently linked, and no known exploits are reported in the wild as of the publication date (June 27, 2025). The vulnerability arises from insufficient validation or sanitization of user-supplied input used in include/require statements, a common PHP security pitfall. Attackers can leverage this to include system files such as /etc/passwd or application source code, or potentially escalate to remote code execution if combined with other vulnerabilities or misconfigurations.
Potential Impact
For European organizations using RealtyElite, this vulnerability poses a significant risk. RealtyElite is a real estate web application, likely used by agencies, property managers, and real estate platforms. Exploitation could lead to unauthorized access to customer data, including personal and financial information, violating GDPR and other data protection regulations. The high confidentiality impact could result in data breaches, leading to regulatory fines and reputational damage. Integrity and availability impacts mean attackers could alter listings, manipulate pricing, or disrupt service availability, affecting business operations and customer trust. Since the vulnerability is exploitable remotely over the network without authentication, attackers can target exposed RealtyElite installations directly. The lack of known exploits in the wild suggests the window for proactive mitigation is still open, but the high severity score demands urgent attention. European organizations with public-facing RealtyElite deployments are at risk of targeted attacks, especially those in competitive real estate markets or handling sensitive client data.
Mitigation Recommendations
1. Immediate mitigation should include restricting access to the vulnerable include/require functionality by applying web application firewall (WAF) rules that detect and block suspicious include parameters or directory traversal patterns. 2. Implement strict input validation and sanitization on all user-controlled inputs used in file inclusion statements, ensuring only whitelisted filenames or paths are accepted. 3. Disable allow_url_include and other risky PHP configuration directives to prevent remote file inclusion vectors. 4. If possible, isolate the RealtyElite application in a segmented network zone with minimal privileges to limit the impact of a successful exploit. 5. Monitor logs for unusual file access patterns or errors related to include/require statements. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability; if none are available, consider temporary workarounds such as code review and manual patching of the vulnerable code. 7. Conduct a thorough security audit of the application and underlying infrastructure to identify and remediate any additional weaknesses. 8. Educate development and operations teams about secure coding practices related to file inclusion in PHP.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-19T10:03:36.790Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685e88efca1063fb875de533
Added to database: 6/27/2025, 12:05:03 PM
Last enriched: 6/27/2025, 12:23:48 PM
Last updated: 8/13/2025, 10:31:23 PM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.