CVE-2025-67988 is a vulnerability identified in LoftOcean's CozyStay software, specifically involving improper control over the filename parameter used in PHP include or require statements. This vulnerability allows an attacker to perform Local File Inclusion (LFI), where malicious actors can manipulate the file path input to include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive information, execution of arbitrary code, and potentially full system compromise. The vulnerability affects CozyStay versions prior to 1.9.1. The CVSS 3.1 base score is 8.1, reflecting a high-severity issue with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. The vulnerability was reserved in December 2025 and published in February 2026. Although no public exploits are currently known, the flaw's nature makes it a critical concern for organizations using CozyStay, especially those exposing the application to the internet. The lack of patches linked in the provided data suggests that immediate mitigation steps are necessary until official fixes are available.

The impact of CVE-2025-67988 is significant for organizations using CozyStay, as exploitation can lead to unauthorized disclosure of sensitive files, execution of arbitrary code, and disruption of service. This can compromise the confidentiality, integrity, and availability of affected systems. Attackers can leverage this vulnerability to gain footholds within networks, escalate privileges, and move laterally, potentially affecting broader organizational infrastructure. Given CozyStay's role in managing hospitality or property-related services, breaches could expose customer data, financial information, and operational details, leading to reputational damage and regulatory penalties. The high CVSS score indicates that the vulnerability is exploitable remotely without authentication, increasing the risk of widespread attacks if left unmitigated.

Organizations should immediately upgrade CozyStay to version 1.9.1 or later once available to address this vulnerability. Until patches are released, implement strict input validation and sanitization on all user-supplied parameters that influence file inclusion paths to prevent manipulation. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts. Restrict file system permissions to limit the web server's access to only necessary directories, minimizing the impact of potential LFI exploitation. Conduct thorough code reviews to identify and refactor unsafe include/require statements. Monitor logs for unusual file access patterns and implement intrusion detection systems to alert on potential exploitation attempts. Additionally, isolate CozyStay deployments within segmented network zones to reduce lateral movement risks.