The vulnerability CVE-2025-67992 in LoftOcean PatioTime arises from improper validation or control of filenames used in PHP include or require statements, enabling PHP Local File Inclusion. This can allow an attacker to include and execute arbitrary local files on the server, potentially leading to full system compromise. The issue affects PatioTime versions prior to 2.1. The CVSS 3.1 base score is 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting a network attack vector with high impact on confidentiality, integrity, and availability, but requiring high attack complexity and no privileges or user interaction.

Successful exploitation of this vulnerability can result in an attacker executing arbitrary local files on the affected server, leading to full compromise of confidentiality, integrity, and availability of the system running PatioTime. This could allow unauthorized access to sensitive data, modification or deletion of files, and disruption of service.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor LoftOcean's advisories for updates. Until a fix is available, consider restricting access to the affected application and applying any available workarounds recommended by the vendor. Avoid exposing the vulnerable application to untrusted networks if possible.