A high-severity vulnerability has been identified in multiple products, allowing an attacker to read sensitive files on the server. This flaw, known as Local File Inclusion, could be exploited remotely to access confidential data such as configuration files, user credentials, or system information, potentially leading to a full system compromise. Immediate patching is required to mitigate the significant risk of a data breach.

This vulnerability is an Improper Control of a Filename for an Include/Require Statement in a PHP Program, commonly known as Local File Inclusion (LFI). The vulnerability exists within the nK Ghost Kit product, where user-supplied input is not properly sanitized before being used in a file inclusion function (e.g., include() or require()). An unauthenticated remote attacker can exploit this by crafting a special request that manipulates the file path, tricking the application into including and displaying the contents of arbitrary files from the local server filesystem. Successful exploitation allows the attacker to read sensitive files such as wp-config.php, /etc/passwd, or other application source code and configuration files.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to a significant data breach, exposing sensitive company, employee, and customer information. The direct consequences include the theft of database credentials, API keys, and other secrets stored on the server. This exposure can result in financial loss, severe reputational damage, loss of customer trust, and potential regulatory fines. Furthermore, the information gained through this vulnerability could serve as a foothold for attackers to escalate privileges and launch more advanced attacks against the organization's internal network.

Immediate Action: Apply vendor security updates immediately to patch the vulnerability. After patching, monitor systems for any signs of exploitation attempts by reviewing web server access logs and application logs for suspicious activity that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing path traversal sequences (e.g., ../, ..%2f, %2e%2e%2f). Look for attempts to access common sensitive files like wp-config.php, /etc/passwd, or .env files. Implement alerts for unusual PHP errors, particularly "failed to open stream" or "include" errors, which could indicate failed LFI attempts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attacks. Additionally, harden server and PHP configurations by implementing strict file permissions to limit the web server process's read access to only necessary files and directories. Disabling allow_url_include in the php.ini file can also help mitigate related risks.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical risk of sensitive data exposure, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied security patches. Although this vulnerability is not currently on the CISA KEV list and no public exploits are available, the risk of a breach is substantial. Organizations should treat this as a critical priority and follow the remediation plan to patch, monitor, and implement compensating controls without delay.