A high-severity vulnerability has been identified in multiple ThemeMove Medizin products, designated CVE-2025-59555. This flaw allows an attacker to read sensitive files from the underlying server by manipulating how the application includes files. Successful exploitation could lead to the exposure of confidential data, system credentials, and other critical information, posing a significant risk to the organization's data security and operational integrity.

The vulnerability is a Local File Inclusion (LFI) flaw, categorized as an Improper Control of Filename for an Include/Require Statement. The application uses user-supplied input to construct a file path for an include or require statement without proper sanitization. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../../) to navigate the server's file system and include arbitrary local files. This could allow the attacker to read the contents of sensitive files such as configuration files containing database credentials, system user files like /etc/passwd, or application source code.

This vulnerability presents a high risk to the organization, reflected by its CVSS score of 8.1. Exploitation can lead to a significant data breach, exposing sensitive corporate information, customer data, or intellectual property. The disclosure of credentials from configuration files could allow an attacker to gain deeper access to other systems, including databases, leading to a wider compromise. The potential consequences include severe reputational damage, financial loss from remediation efforts, and possible regulatory penalties for non-compliance with data protection standards.

Immediate Action: Organizations must apply the security updates provided by ThemeMove Medizin immediately across all affected products to patch the vulnerability. Following the update, security teams should review web server access logs for any requests indicative of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Implement continuous monitoring of web server logs, specifically looking for URL patterns containing directory traversal characters like ../, ..%2f, or ..\\. Monitor for requests attempting to access common sensitive files such as wp-config.php, .env, /etc/passwd, or other system configuration files. Utilize a Web Application Firewall (WAF) to detect and block known LFI attack signatures.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules to block directory traversal and file inclusion attack patterns. Harden the server's file system permissions to ensure the web server process has read access only to the files it legitimately needs. Additionally, ensure the PHP open_basedir directive is configured to restrict the locations from which PHP can access files.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for sensitive data exposure, it is strongly recommended that organizations using affected ThemeMove Medizin products treat this vulnerability with high priority. The immediate application of vendor-supplied patches is the most effective course of action. Although this CVE is not currently on the CISA KEV list, its critical nature warrants immediate attention to prevent potential system compromise and data breaches.