A high-severity vulnerability exists in the Mikado-Themes Curly product, identified as CVE-2025-67936. This flaw allows an attacker to trick the web application into reading sensitive files directly from the server's filesystem, which could expose confidential data like system passwords or application credentials. This exposure could lead to a significant data breach and further compromise of the affected server.

This vulnerability is a Local File Inclusion (LFI). It occurs because the application does not properly validate user-supplied input used in a filename for a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a special request, typically manipulating a URL parameter with path traversal sequences (e.g., ../../), to force the application to include and display the contents of arbitrary files on the server. This could be used to read sensitive configuration files, system user information, or application source code.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to significant business impact, including the unauthorized disclosure of sensitive information such as customer data, database credentials, and other proprietary information stored on the server. This could result in a major data breach, leading to regulatory fines, reputational damage, and loss of customer trust. Furthermore, information gathered through this vulnerability could be used by an attacker to facilitate further attacks, potentially leading to a full system compromise.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor to all affected systems immediately. After patching, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the patch.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing path traversal payloads, such as ../, ..%2f, or other variations. Implement alerts within a Security Information and Event Management (SIEM) system to detect these patterns. Monitor for unusual file access attempts by the web server user account on the host operating system.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and path traversal attacks. Additionally, harden the server's file permissions to ensure the web server process has read access only to the files it legitimately needs. Restricting PHP's open_basedir directive can also limit the files that can be accessed by the application.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the risk of sensitive data exposure, this vulnerability poses a significant threat to the organization. Although it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants immediate attention. We strongly recommend that all affected instances of the Mikado-Themes Curly product be identified and patched immediately. If patching is delayed, the compensating controls outlined above, particularly the use of a WAF, should be implemented as a critical interim measure to mitigate risk.