CVE-2025-68545 identifies a Local File Inclusion (LFI) vulnerability in the thembay Nika PHP program, specifically due to improper control of filenames used in include or require statements. This vulnerability allows an attacker to manipulate the filename parameter to include arbitrary files from the server's filesystem. The root cause is insufficient validation or sanitization of user inputs that are passed directly to PHP's include or require functions, which can lead to unintended file inclusions. The affected product is Nika by thembay, with versions up to 1.2.14 impacted. LFI vulnerabilities can be leveraged to read sensitive files such as configuration files, password files, or application source code, potentially exposing credentials or other critical data. In some cases, LFI can be chained with other vulnerabilities to achieve remote code execution. No public exploits have been reported yet, and no official patches or CVSS scores are currently available. The vulnerability was reserved in December 2025 and published in February 2026. The lack of a CVSS score requires an expert severity assessment based on the nature of the vulnerability and its potential impact. Given the widespread use of PHP in web applications and the popularity of thembay products in certain markets, this vulnerability poses a significant risk to organizations running vulnerable versions of Nika. Attackers do not require authentication to exploit this flaw, and exploitation does not require user interaction beyond sending crafted requests. The vulnerability's impact includes potential exposure of sensitive data and possible escalation to remote code execution if combined with other flaws.

The impact of CVE-2025-68545 is substantial for organizations using the thembay Nika product in vulnerable versions. Successful exploitation can lead to unauthorized disclosure of sensitive files, including configuration files containing database credentials, API keys, or other secrets. This compromises confidentiality and may facilitate further attacks such as privilege escalation or remote code execution. The integrity of the application and data can be undermined if attackers modify included files or leverage the vulnerability to execute arbitrary code. Availability could also be affected if attackers disrupt normal application operations. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers, increasing the attack surface. Organizations relying on Nika for e-commerce or content management may face data breaches, service disruptions, and reputational damage. The absence of known exploits currently provides a window for proactive mitigation, but the risk remains high due to the ease of exploitation and potential severity of consequences.

To mitigate CVE-2025-68545, organizations should immediately upgrade to a patched version of thembay Nika once available. In the absence of an official patch, implement strict input validation and sanitization on all parameters used in include or require statements to ensure only allowed filenames or paths are processed. Employ whitelisting techniques to restrict file inclusions to a predefined set of safe files or directories. Configure PHP settings such as open_basedir to limit accessible filesystem paths for the web server. Use web application firewalls (WAFs) to detect and block suspicious requests attempting directory traversal or file inclusion patterns. Regularly audit application code for unsafe dynamic file inclusion practices. Monitor server logs for unusual access patterns or errors indicative of attempted exploitation. Isolate the application environment to minimize the impact of a successful attack and ensure backups are up to date to enable recovery. Educate development teams on secure coding practices related to file inclusion and input handling. Finally, maintain awareness of updates from thembay and security advisories to apply patches promptly.