A high-severity vulnerability has been discovered in multiple Schiocco Support products, allowing an attacker to read sensitive files on the server. By tricking the application, an unauthorized user could access confidential data, such as system configuration files and user credentials. This exposure could lead to further system compromise and significant data breaches.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the application uses user-supplied input directly within a PHP include or require statement without proper validation or sanitization. An unauthenticated remote attacker can exploit this by crafting a special request that includes directory traversal sequences (e.g., ../) to navigate the server's file system and force the application to include and display the contents of arbitrary files. This could expose sensitive information such as application source code, configuration files containing database credentials, or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to a significant data breach, exposing sensitive company, employee, or customer information. The disclosure of credentials or configuration details could allow an attacker to escalate their privileges, potentially gaining deeper access to the network or full control of the affected server. The resulting business impact includes reputational damage, loss of customer trust, regulatory penalties for data exposure, and the financial cost associated with incident response and recovery.

Immediate Action: Apply the security updates provided by Schiocco Support to all affected products immediately, prioritizing internet-facing systems. After patching, it is critical to monitor for any signs of post-remediation exploitation attempts and thoroughly review historical access logs for indicators of a prior compromise.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing directory traversal patterns such as ../, ..%2f, or other URL-encoded variations. Look for attempts to access common sensitive files (e.g., /etc/passwd, wp-config.php, .env). Implement alerts for multiple HTTP 404 or 500 error responses from a single IP address, as this can indicate an attacker is probing for the vulnerability.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rulesets designed to detect and block LFI and directory traversal attacks. Additionally, enforce the principle of least privilege by tightening file system permissions to ensure the web server's user account can only read files from necessary directories, limiting the impact of a successful exploit.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for complete server information disclosure, this vulnerability poses a significant risk to the organization. We strongly recommend that all affected Schiocco Support products be patched immediately. Although this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime target for opportunistic attackers. If patching is delayed, the compensating controls outlined above should be implemented as a matter of urgency to reduce the risk of exploitation.