A critical misconfiguration vulnerability has been discovered in multiple webserver products, identified as CVE-2025-41737. This flaw allows unauthenticated remote attackers to view the raw source code of PHP files on the server, potentially exposing sensitive information such as database credentials, API keys, and internal business logic. Successful exploitation could lead to a complete system compromise or a significant data breach.

The vulnerability is caused by an improper webserver configuration that fails to process PHP files through the PHP interpreter. When a remote, unauthenticated attacker sends a standard HTTP request for a .php file, the server incorrectly handles the request and returns the file's contents as plain text instead of executing the code and rendering the HTML output. This allows the attacker to read the entire source code, which may contain hardcoded credentials, secret keys, database connection strings, and proprietary application logic.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can have severe consequences for the business, including the direct exposure of intellectual property and sensitive data. Leaked database credentials could lead to a full data breach of customer information, financial records, or other confidential data, resulting in significant financial loss, regulatory fines, and reputational damage. Furthermore, exposed API keys and application logic can provide attackers with a foothold to launch more sophisticated attacks against the organization's internal infrastructure.

Immediate Action: Apply vendor security updates immediately to all affected webserver instances. The security updates will correct the misconfiguration and ensure that PHP files are processed correctly. Concurrently, security teams should begin to monitor for exploitation attempts and review historical webserver access logs for any signs of compromise.

Proactive Monitoring: Monitor webserver access logs for unusual requests to .php files, specifically looking for patterns where the response content-type is text/plain or application/octet-stream instead of the expected text/html. Implement alerts for multiple requests to various PHP files from a single source IP address. Utilize a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and block responses that contain PHP source code tags (e.g., <?php).

Compensating Controls: If immediate patching is not feasible, implement a WAF rule to explicitly block any server response that contains raw PHP tags in its body. As a temporary measure, review and manually correct the webserver's handler mappings to ensure that the .php extension is properly associated with the PHP interpreter. Restrict access to the affected web applications at the network perimeter until a permanent patch can be applied.

Public Exploit Available: False

Given the high severity (CVSS 7.5) and the trivial nature of exploitation, this vulnerability presents a significant and immediate risk to the organization. We strongly recommend that all affected systems be patched immediately by applying the vendor-supplied security updates. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for widespread impact warrants treating it with the highest priority. Organizations should assume they are being targeted and act swiftly to mitigate this threat.