CVE-2025-7381 is an information disclosure vulnerability identified in the Mautic Docker images that use PHP's base image. The vulnerability arises from the PHP configuration exposing the PHP version via the HTTP response header 'X-Powered-By'. This header reveals the exact PHP version running on the server, which can be leveraged by attackers to fingerprint the server environment and identify known vulnerabilities or weaknesses associated with that PHP version. The root cause is the default setting of the 'expose_php' directive in the PHP configuration file (/usr/local/etc/php/php.ini), which is set to 'On' by default in the affected Mautic Docker images (versions <= 6.0.3-20250707-apache, <= 6.0.3-20250707-fpm, <= 5.2.7-20250707-apache, and <= 5.2.7-20250707-fpm). The vulnerability is classified under CWE-497 (Exposure of System Information Through Error Message), indicating that sensitive system information is unintentionally disclosed. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, but only results in limited confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild. The primary mitigation is to disable the 'expose_php' directive by setting it to 'Off' in the php.ini file, which prevents the PHP version from being included in HTTP headers, thereby reducing the attack surface for fingerprinting and subsequent targeted attacks.

For European organizations using Mautic Docker images in their marketing automation or customer engagement platforms, this vulnerability could facilitate reconnaissance activities by threat actors. By revealing the PHP version, attackers can tailor their attack strategies to exploit known vulnerabilities in that specific PHP version or related components. Although the vulnerability itself does not directly compromise data confidentiality, integrity, or availability, it lowers the barrier for attackers to identify exploitable weaknesses, potentially leading to more severe attacks such as remote code execution or privilege escalation if combined with other vulnerabilities. This is particularly relevant for organizations handling sensitive customer data under GDPR regulations, where any breach could result in significant legal and financial repercussions. Additionally, organizations relying on Dockerized deployments may have automated update pipelines; failure to promptly update or configure the PHP environment securely could prolong exposure. The medium severity rating suggests that while immediate risk is moderate, the vulnerability should not be ignored, especially in high-value or regulated environments common in Europe.

To mitigate CVE-2025-7381 effectively, European organizations should implement the following specific actions: 1) Immediately update the Mautic Docker images to versions beyond the affected releases once patches are available. 2) Manually edit the PHP configuration file located at /usr/local/etc/php/php.ini within the Docker container to set 'expose_php = Off'. This change suppresses the PHP version disclosure in HTTP headers. 3) Incorporate configuration checks into CI/CD pipelines to ensure 'expose_php' remains disabled in all PHP-based containers before deployment. 4) Conduct regular security audits and penetration tests focusing on information disclosure vectors to detect similar misconfigurations. 5) Employ web application firewalls (WAFs) to filter or modify HTTP response headers, removing or obfuscating the 'X-Powered-By' header as an additional layer of defense. 6) Monitor network traffic for unusual reconnaissance patterns that might indicate exploitation attempts. 7) Educate development and operations teams about the risks of exposing system information and enforce secure defaults in containerized environments.