A high-severity vulnerability has been identified in multiple PenciDesign Soledad products, allowing for Local File Inclusion (LFI). An unauthenticated attacker could exploit this flaw to read sensitive files from the underlying server, potentially exposing confidential data, user credentials, and system configuration details. This could lead to a significant data breach and further system compromise.

The vulnerability is classified as an Improper Control of Filename for an Include/Require Statement in PHP, commonly known as Local File Inclusion (LFI). A flaw exists where the application uses user-supplied input to construct a path to a file that is then executed or displayed. An attacker can manipulate this input using directory traversal techniques (e.g., ../../..) to force the application to include and reveal the contents of arbitrary local files on the server, such as /etc/passwd or sensitive application configuration files.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach by exposing sensitive information stored on the web server, including customer data, intellectual property, API keys, and database credentials. This loss of confidentiality could result in regulatory fines, reputational damage, and loss of customer trust. The information obtained could also serve as a stepping stone for attackers to conduct more severe attacks, potentially leading to a full system compromise.

Immediate Action: Apply vendor-provided security updates to all affected PenciDesign Soledad products immediately, prioritizing internet-facing systems. After patching, review web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e/) or attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). Implement alerts for multiple HTTP 4xx/5xx error responses from a single source, which may indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Additionally, harden the server's file system permissions to restrict the web server user's access to only necessary files and directories, limiting the impact of a potential breach.

Public Exploit Available: false

Given the High severity (CVSS 7.5) of this vulnerability and its potential for exposing highly sensitive data, immediate remediation is strongly recommended. Although CVE-2025-59588 is not currently listed on the CISA KEV list, the risk of data breach and follow-on attacks is significant. We advise prioritizing the deployment of vendor patches across all affected systems without delay to mitigate the risk of compromise.