A high-severity vulnerability has been identified in multiple highwarden Super products, specifically affecting the Store Finder component. This flaw, known as Remote File Inclusion, could allow an unauthenticated attacker to trick the application into running malicious code from a remote server. Successful exploitation could lead to a complete compromise of the affected server, resulting in data theft, service disruption, and further network intrusion.

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, commonly known as Remote File Inclusion (RFI). The application fails to properly sanitize user-supplied input that is used to construct a file path for an include() or require() statement. An attacker can exploit this by crafting a special request that points to a malicious PHP file hosted on an external server. The vulnerable application will then fetch and execute this remote file, giving the attacker the ability to run arbitrary code on the server with the permissions of the web server process.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation of this flaw can have severe consequences for the organization, including a complete compromise of the web server. An attacker could exfiltrate sensitive data such as customer information, payment details, and internal credentials. Furthermore, the attacker could install persistent backdoors, deploy ransomware, deface the website, or use the compromised server as a pivot point to launch further attacks against the internal network, leading to significant financial loss, operational downtime, and reputational damage.

Immediate Action: The primary and most effective remediation is to apply vendor security updates immediately across all affected systems. After patching, it is crucial to review web server and application access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes reviewing web server logs for unusual requests containing URLs or IP addresses in parameters that should only contain local filenames (e.g., parameter=http://attacker.com/shell.txt). Monitor for unexpected outbound network connections from the web server to unknown destinations and scan for the creation of unauthorized files or scripts in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can reduce the risk:

• Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block RFI attack patterns.
• On the server, modify the php.ini configuration file to set allow_url_fopen = Off and allow_url_include = Off. This is a direct server-level mitigation that prevents PHP from including remote files.
• Implement strict egress filtering to block outbound connections from the web server to the internet, except for explicitly approved destinations.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the critical impact of remote code execution, this vulnerability poses a significant threat to the organization. Although CVE-2025-47571 is not currently listed on the CISA KEV list, the risk of a full system compromise is substantial. We strongly recommend that all affected highwarden Super products be patched on an emergency basis. If patching is delayed, implement the suggested compensating controls, particularly disabling remote file includes in the PHP configuration, to mitigate the immediate risk.