A high-severity vulnerability has been identified in multiple products from the vendor Improper, specifically noted in gavias Kipso. This flaw, a Local File Inclusion, allows an unauthenticated remote attacker to trick the application into accessing and potentially executing arbitrary files on the server. Successful exploitation could lead to sensitive data exposure, information theft, and a complete compromise of the affected system.

The vulnerability exists due to an improper control of filenames used in PHP's include or require statements. An attacker can exploit this by crafting a malicious request that manipulates a URL parameter to specify a path to a file on the server's local file system. Because the application fails to properly sanitize this user-supplied input, it includes the specified file for processing. This allows an attacker to read the source code of any file the web server process has access to, including sensitive configuration files containing credentials. In certain configurations, if an attacker can also upload a file or poison a log file with PHP code, this vulnerability can be escalated to achieve Remote Code Execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on the business. An attacker could leverage this flaw to steal sensitive information, such as customer data, intellectual property, or authentication credentials, leading to major data breaches and regulatory fines. If escalated to remote code execution, an attacker could gain full control of the server, enabling them to install malware, pivot to other internal systems, or disrupt critical business operations, resulting in financial loss and severe reputational damage.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected assets. After patching, it is critical to monitor for any signs of exploitation attempts by reviewing web server and application access logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal patterns (e.g., ../, ..%2F) or PHP filter wrappers (e.g., php://filter) in URL parameters. Implement alerts for unusual file access patterns or outbound network connections originating from web servers. System monitoring should also be configured to detect the creation of unexpected files or processes running under the web server's user context.

Compensating Controls: If immediate patching is not feasible, the following compensating controls can help mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns.
• Harden the PHP configuration by ensuring allow_url_include is disabled and restricting the paths PHP can access with the open_basedir directive.
• Apply the principle of least privilege by ensuring the web server process runs with minimal permissions necessary and cannot read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for complete system compromise, this vulnerability presents a significant risk to the organization. Although this vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, its severity warrants immediate attention and remediation. We strongly recommend that all system owners prioritize the deployment of vendor-supplied patches to all affected systems. Where patching cannot be immediately performed, the compensating controls outlined above should be implemented as a matter of urgency to reduce the attack surface.