A high-severity vulnerability has been identified in multiple VanKarWai Calafate products, assigned CVE-2025-69342. This flaw allows an unauthenticated, remote attacker to trick the application into reading and displaying the contents of sensitive files on the server. Successful exploitation could lead to the exposure of confidential data, such as configuration files, source code, and system credentials, posing a significant risk to data privacy and system integrity.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from improper input validation. The application uses a PHP include or require statement with user-supplied data without properly sanitizing it. An attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../) to navigate the server's file system and access files outside of the intended web root directory. This could allow the attacker to read sensitive system files, application source code, or configuration files containing credentials.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to a significant data breach by exposing sensitive information stored on the server, including customer data, intellectual property, and system credentials. The disclosure of such information can result in financial loss, reputational damage, regulatory penalties, and provide attackers with the necessary information to conduct further, more severe attacks against the organization's infrastructure.

Immediate Action: Organizations must apply the security updates provided by VanKarWai Calafate to all affected systems immediately. After patching, it is critical to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal patterns such as ../, ..%2f, %2e%2e/, and other variants targeting the affected application endpoints. Implement file integrity monitoring on critical system and application files to detect unauthorized access or changes.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block directory traversal attack patterns. Additionally, enforce strict file permissions on the web server to limit the web process user's access to files outside of the web root directory, minimizing the impact of a potential breach.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the significant risk of sensitive data exposure, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patches. Although this vulnerability is not currently listed on the CISA KEV list, its potential impact warrants urgent attention. Organizations should treat this as a critical vulnerability and proceed with the remediation plan to mitigate the risk of a data breach.