CVE-2025-67084 is a critical file upload vulnerability identified in InvoicePlane, an open-source invoicing and billing application widely used by small and medium-sized businesses. The vulnerability exists in versions up to 1.6.3 and allows authenticated users to upload arbitrary PHP files as attachments. Since these uploaded files are not properly validated or sanitized, an attacker can upload malicious PHP scripts that can be executed remotely on the server hosting InvoicePlane. This leads to Remote Code Execution (RCE), enabling attackers to execute arbitrary commands with the privileges of the web server process. The attack requires the attacker to have valid user credentials, which could be obtained through credential theft, phishing, or weak password policies. Once exploited, the attacker could potentially take full control of the affected system, access sensitive financial data, modify invoices, or pivot to other internal network resources. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability’s nature and impact are severe. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation. Organizations relying on InvoicePlane should review their user access controls, monitor file uploads, and consider temporary restrictions on attachment uploads until a patch is released.

For European organizations, the impact of CVE-2025-67084 can be substantial, especially for small and medium enterprises (SMEs) that rely on InvoicePlane for financial operations. Successful exploitation could lead to unauthorized access to sensitive financial data, manipulation of invoicing records, and disruption of business processes. The RCE capability allows attackers to deploy malware, establish persistence, and potentially move laterally within corporate networks. This could result in data breaches, financial fraud, reputational damage, and regulatory non-compliance under GDPR. The requirement for authentication limits the attack surface but does not eliminate risk, as credential compromise is common. The absence of known exploits in the wild provides a window for proactive defense, but the severity of potential outcomes necessitates urgent attention. Additionally, compromised systems could be used as a foothold for further attacks targeting European supply chains or critical infrastructure sectors that use InvoicePlane.

1. Immediately restrict file upload functionality to allow only safe file types and disable PHP or executable file uploads in InvoicePlane attachments. 2. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Monitor and audit all file uploads and user activities for suspicious behavior or anomalous file types. 4. Implement web application firewall (WAF) rules to detect and block attempts to upload or execute malicious scripts. 5. Isolate the InvoicePlane server in a segmented network zone with limited privileges to contain potential breaches. 6. Regularly update and patch InvoicePlane as soon as a security update addressing this vulnerability is released. 7. Conduct user training to prevent phishing and credential theft. 8. Consider temporary disabling of attachment uploads if immediate patching is not feasible. 9. Review server configurations to ensure PHP execution is disabled in directories used for file uploads if possible. 10. Maintain offline backups of critical financial data to enable recovery in case of compromise.