CVE-2025-66115 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically affecting the MatrixAddons Easy Invoice product up to version 2.1.4. This vulnerability is a form of Remote File Inclusion (RFI), where the application fails to properly validate or sanitize user-supplied input used in PHP include or require statements. As a result, an attacker can manipulate the filename parameter to include remote files, potentially leading to arbitrary code execution on the server. This can allow attackers to execute malicious PHP code, escalate privileges, access sensitive data, or disrupt service availability. The vulnerability is particularly dangerous because it does not require authentication or user interaction, making it exploitable remotely by unauthenticated attackers. Although no known exploits are currently reported in the wild, the vulnerability's nature and the widespread use of PHP in web applications make it a significant threat. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the technical characteristics suggest a high severity. The vulnerability affects all installations of Easy Invoice up to version 2.1.4, and no patch links are currently provided, indicating that users must monitor vendor updates closely. The vulnerability was published on November 21, 2025, and assigned by Patchstack.

For European organizations using MatrixAddons Easy Invoice, this vulnerability poses a critical risk. Successful exploitation can lead to remote code execution, allowing attackers to take full control of affected systems. This can result in data breaches, including exposure of sensitive financial and customer information, disruption of invoicing operations, and potential lateral movement within corporate networks. The impact on confidentiality, integrity, and availability is severe, as attackers can modify or delete data, inject malicious code, or cause denial of service. Organizations in sectors such as finance, retail, and services that rely heavily on invoicing software are particularly at risk. Additionally, compromised invoicing systems can be used as a foothold for further attacks, including ransomware deployment or supply chain attacks. The absence of known exploits in the wild provides a window for proactive mitigation, but the threat remains significant due to the ease of exploitation and the critical nature of invoicing systems in business operations.

1. Monitor MatrixAddons communications for official patches or updates addressing CVE-2025-66115 and apply them promptly once available. 2. Implement strict input validation and sanitization on all user-supplied parameters, especially those used in include or require statements, to prevent malicious file path injection. 3. Configure PHP settings to disable remote file inclusion by setting 'allow_url_include' to 'Off' and 'allow_url_fopen' to 'Off' if not required. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. 5. Restrict file inclusion paths using PHP's 'open_basedir' directive to limit the directories from which files can be included. 6. Conduct regular code reviews and security testing focused on input handling in PHP applications. 7. Isolate invoicing systems in segmented network zones to limit potential lateral movement if compromised. 8. Maintain comprehensive logging and monitoring to detect suspicious activities related to file inclusion or code execution attempts. 9. Educate development and IT teams about secure coding practices to prevent similar vulnerabilities in future releases.