CVE-2025-66115 is a vulnerability identified in the MatrixAddons Easy Invoice software, versions up to and including 2.1.4. The issue arises from improper control of the filename parameter used in PHP include or require statements, which leads to a Local File Inclusion (LFI) vulnerability. LFI occurs when an attacker can manipulate the input to include arbitrary files from the local filesystem, potentially exposing sensitive configuration files, source code, or other critical data. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The vulnerability requires the attacker to have high privileges (authentication with elevated access) and network access but does not require user interaction. The CVSS 3.1 base score is 6.6, reflecting a medium severity with network attack vector, low attack complexity, and impact on confidentiality, integrity, and availability. The vulnerability’s scope is changed, indicating that exploitation could affect components beyond the initially vulnerable module. No public exploits or patches are currently available, increasing the urgency for organizations to implement mitigations proactively. The vulnerability is particularly concerning for organizations relying on Easy Invoice for financial operations, as exposure of invoice data or code execution could lead to data breaches or operational disruption.

For European organizations, the impact of CVE-2025-66115 can be significant, especially for small and medium-sized enterprises (SMEs) using Easy Invoice for financial and invoicing processes. Confidentiality risks include exposure of sensitive financial data, customer information, and internal configuration files. Integrity risks involve potential unauthorized modification of invoice data or application files, which could lead to fraudulent transactions or accounting errors. Availability could be impacted if attackers leverage the vulnerability to execute code that disrupts the application or underlying systems. Given the financial nature of the software, exploitation could also have regulatory and compliance implications under GDPR and other data protection laws. The requirement for high privileges limits the attack surface but does not eliminate risk, as insider threats or compromised credentials could enable exploitation. The absence of known exploits in the wild provides a window for mitigation, but organizations should act promptly to prevent potential attacks.

1. Apply patches or updates from MatrixAddons as soon as they become available to address the vulnerability directly. 2. Restrict file inclusion paths in the PHP configuration and application code to a whitelist of safe directories, preventing arbitrary file inclusion. 3. Implement strict input validation and sanitization on all parameters used in include/require statements to block malicious input. 4. Employ the principle of least privilege by limiting user roles and permissions within Easy Invoice to reduce the risk of high-privilege account compromise. 5. Monitor application logs and file access patterns for unusual activity indicative of LFI attempts, such as repeated access to sensitive files. 6. Use Web Application Firewalls (WAFs) with rules designed to detect and block LFI attack vectors. 7. Conduct regular security audits and code reviews focusing on file inclusion mechanisms. 8. Educate administrators and users about credential security to prevent privilege escalation. 9. Isolate the Easy Invoice application environment to limit lateral movement in case of compromise.