A critical vulnerability has been identified in the thembay Aora product, which could allow an unauthenticated attacker to read sensitive files from the web server. Successful exploitation could lead to the disclosure of confidential data, credentials, or even complete system compromise. Organizations using the affected software are urged to apply the recommended update immediately to mitigate this significant risk.

The vulnerability is a Local File Inclusion (LFI) flaw within the PHP code of the Aora product. It arises from the application's failure to properly sanitize user-supplied input that is used to construct a file path for an include or require statement. An unauthenticated remote attacker can exploit this by crafting a special request, typically manipulating a URL parameter, to include directory traversal sequences (../). This allows the attacker to navigate outside of the intended directory and force the application to include and display the contents of arbitrary files on the server's filesystem, such as /etc/passwd, application configuration files containing database credentials, or server logs. In certain server configurations, this LFI vulnerability could be escalated to achieve remote code execution (RCE), leading to a full system compromise.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a severe risk to the organization. Exploitation can lead to the immediate breach of sensitive data, including customer information, intellectual property, and system credentials. This data exposure could result in significant financial losses, regulatory penalties (e.g., under GDPR or CCPA), and severe reputational damage. If the vulnerability is escalated to remote code execution, an attacker could gain complete control of the affected server, using it to pivot further into the network, deploy ransomware, or disrupt business operations entirely.

Immediate Action: Immediately update the thembay Aora product to the latest version available from the vendor, which is confirmed to be patched against this vulnerability (any version after 1.3.15). After patching, thoroughly review server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring of web server access logs. Specifically, search for HTTP requests containing common LFI patterns, such as directory traversal sequences (../, ..%2f, ..\), absolute file paths (/etc/, C:\), and PHP wrappers (php://filter, php://input). Utilize a Web Application Firewall (WAF) or Intrusion Detection System (IDS) with rules designed to detect and block LFI attacks.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce risk:

• Deploy a WAF and configure it with strict rules to block requests containing LFI signatures.
• Harden the server's PHP configuration by using the open_basedir directive to restrict the file paths PHP can access.
• Ensure the web server process is running with the lowest possible privileges to limit an attacker's access to sensitive system files.
• Conduct a security audit of the affected application and surrounding infrastructure to identify and secure any exposed sensitive files.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that immediate action be taken. All instances of thembay Aora version 1.3.15 and earlier must be updated to a patched version without delay. This vulnerability represents a direct and severe threat of data breach and system compromise. While this CVE is not currently listed on the CISA KEV catalog, its critical nature warrants treatment with the highest priority, equivalent to that of a KEV-listed vulnerability.