CVE-2025-67523 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in the PHP program trippleS Exhibz, a product used for exhibition management. This vulnerability allows Remote File Inclusion (RFI), where an attacker can manipulate the filename parameter in PHP include or require statements to load and execute malicious code from a remote server. The affected versions include all versions up to and including 3.0.9. The root cause is insufficient validation or sanitization of user-supplied input that controls the file path in include/require statements. Exploiting this vulnerability can lead to remote code execution, enabling attackers to run arbitrary PHP code on the server, potentially leading to full system compromise, data theft, or defacement. No CVSS score has been assigned yet, and no public exploits have been reported. However, the vulnerability is critical in nature due to the direct impact on confidentiality, integrity, and availability of the affected systems. The vulnerability was published on December 9, 2025, and is tracked under the CVE identifier CVE-2025-67523. The vendor trippleS has not yet released a patch or mitigation guidance, so organizations must implement interim controls to reduce risk.

For European organizations using trippleS Exhibz, this vulnerability could result in severe consequences including unauthorized access to sensitive event data, disruption of exhibition management services, and potential lateral movement within internal networks. The ability to execute arbitrary code remotely without authentication means attackers could deploy malware, ransomware, or steal confidential information. This could damage organizational reputation, lead to regulatory penalties under GDPR for data breaches, and cause operational downtime. Given that Exhibz is used in event and exhibition contexts, compromised systems could also impact third-party vendors and attendees, amplifying the risk. The lack of a patch increases exposure time, and organizations relying on this software must assume a high risk of exploitation. The vulnerability also poses a risk to supply chain security if Exhibz is integrated with other platforms or services.

1. Immediately audit all instances of trippleS Exhibz and identify affected versions (<= 3.0.9). 2. Apply vendor patches or updates as soon as they become available. 3. Until patches are released, implement strict input validation and sanitization on all parameters controlling file inclusion paths to prevent remote file references. 4. Configure PHP settings to disable remote file inclusion (e.g., setting 'allow_url_include' to 'Off' and 'allow_url_fopen' to 'Off'). 5. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit file inclusion. 6. Restrict file system permissions to limit the PHP process's ability to include files outside designated directories. 7. Monitor logs for unusual include/require activity or unexpected external connections. 8. Conduct penetration testing focused on file inclusion vectors to verify mitigations. 9. Educate development and operations teams about secure coding practices to prevent similar vulnerabilities in the future.