A high-severity vulnerability has been identified in the Thembay Diza product, which could allow an unauthenticated attacker to read sensitive files on the underlying server. Successful exploitation could lead to the exposure of confidential data, system credentials, and application source code, potentially enabling further attacks against the organization's infrastructure.

This vulnerability is a Local File Inclusion (LFI) flaw stemming from an improper control of filenames used in PHP's include or require statements. An attacker can manipulate an input parameter, likely a URL query string, to force the application to include and display the contents of arbitrary local files on the server. For example, an attacker could craft a request to read sensitive system files like /etc/passwd or application configuration files containing database credentials, bypassing normal access controls.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation of this flaw could have a significant business impact, including the breach of sensitive corporate or customer data, intellectual property theft, and exposure of internal system credentials. The stolen information could be leveraged to facilitate deeper network intrusion, leading to a more widespread system compromise. Such an incident could result in severe reputational damage, regulatory fines, and financial loss.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected instances of the Thembay Diza product. After patching, review web server and application access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal patterns (e.g., ../), absolute file paths (e.g., /etc/), and PHP wrappers (e.g., php://filter) in URL parameters. Implement alerts for multiple failed file access attempts or requests for common sensitive files, which may indicate scanning or exploitation activity.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns. Additionally, consider hardening the PHP configuration on the server by disabling allow_url_include and restricting file system access for the web server user with the open_basedir directive.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for sensitive data exposure, it is critical that organizations take immediate action. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential impact warrants urgent attention. We strongly recommend prioritizing the deployment of the vendor-supplied patches to all affected systems to mitigate the risk of compromise.