The vulnerability CVE-2025-67995 affects LoftOcean PatioTime versions before 2.1 and is caused by insecure deserialization of untrusted data, enabling object injection attacks. This can allow an attacker to execute arbitrary code or manipulate application behavior, leading to full compromise of confidentiality, integrity, and availability. The CVSS 3.1 base score is 9.8, reflecting the critical nature of this vulnerability with network attack vector, no required privileges or user interaction, and complete impact on security properties. No patch or official remediation guidance is currently available from the vendor. The product is not a cloud service, and no exploits have been reported in the wild.

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code or perform unauthorized actions on affected PatioTime installations, resulting in complete compromise of confidentiality, integrity, and availability. Given the critical CVSS score of 9.8, the impact is severe and could lead to full system takeover or data breaches.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting network access to the affected PatioTime instances and monitor for suspicious activity related to deserialization processes. Avoid processing untrusted data inputs where possible.