A high-severity vulnerability has been identified in multiple ThimPress Eduma products, tracked as CVE-2025-64195. This flaw allows an attacker to trick the application into including and executing unintended files on the server, a technique known as Local File Inclusion (LFI). Successful exploitation could lead to the exposure of sensitive information, such as configuration files and user data, or potentially allow an attacker to run arbitrary code and take control of the affected server.

The vulnerability is a Local File Inclusion (LFI) flaw within the PHP code of the affected products. An attacker can exploit this by manipulating an input parameter that the application uses to construct a file path for an include() or require() statement. By crafting a malicious input containing path traversal sequences (e.g., ../../), an attacker can force the application to read and potentially execute files from arbitrary locations on the server's filesystem that the web server process has access to. This could allow an attacker to read sensitive files like wp-config.php (exposing database credentials) or, in certain configurations, include a poisoned log file to achieve remote code execution.

This vulnerability is rated as High severity with a CVSS score of 7.6. Exploitation could have a significant negative impact on the business. The primary risks include a data breach resulting from the theft of sensitive information (e.g., database credentials, user data, application source code) and a full system compromise if an attacker achieves remote code execution. Such an incident could lead to severe reputational damage, regulatory fines, financial loss, and extended operational downtime for recovery and incident response efforts.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected systems. After patching, it is critical to monitor for any signs of post-patch exploitation attempts and to review historical web server access logs for indicators of compromise that may have occurred prior to the patch.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests targeting the application. Look for patterns indicative of LFI attacks, such as the use of path traversal sequences (../, ..\/, %2e%2e%2f), requests attempting to access common sensitive files (/etc/passwd, wp-config.php), or the inclusion of log files (/var/log/). Monitor for unusual file modifications or outbound network connections from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attack patterns. Additionally, harden the server's file permissions to ensure the web server process has read access only to the files and directories it absolutely requires, limiting the impact of a potential breach.

Public Exploit Available: false

Given the high CVSS score of 7.6 and the potential for complete system compromise, this vulnerability presents a significant risk. Although it is not currently listed on the CISA KEV catalog and no public exploits are available, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. The ease of exploitation for LFI vulnerabilities means that the window of opportunity for attackers is likely to be small once a proof-of-concept becomes public. Proactive patching is the most critical step to prevent a potential data breach or server takeover.