CVE-2025-58214 in Indutri Plugin
Summary
by MITRE • 09/05/2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Indutri allows PHP Local File Inclusion. This issue affects Indutri: from n/a through n/a.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/05/2025
The CVE-2025-58214 vulnerability represents a critical PHP Remote File Inclusion flaw that enables attackers to manipulate include/require statements within the gavias Indutri application. This vulnerability stems from improper validation of filename parameters passed to PHP's include or require functions, creating an avenue for remote code execution through malicious file inclusion attacks. The flaw exists in the application's handling of user-supplied input that directly influences file inclusion logic, allowing adversaries to specify arbitrary file paths or URLs for inclusion.
This vulnerability directly maps to CWE-88, which describes improper control of filename for include/require statements, and falls under the broader category of CWE-94, representing improper control of code generation capabilities. The attack vector leverages the fundamental PHP functionality where include/require statements can dynamically load files based on runtime parameters, making the application susceptible when these parameters are not properly sanitized or validated. The vulnerability specifically impacts the gavias Indutri platform, where user-controllable input flows into file inclusion mechanisms without adequate security controls.
The operational impact of this vulnerability is severe as it allows remote attackers to execute arbitrary code on the affected server, potentially leading to complete system compromise. An attacker could leverage this flaw to include malicious PHP files hosted on remote servers, thereby gaining unauthorized access to the application's underlying system. The vulnerability enables a range of malicious activities including data exfiltration, privilege escalation, and persistent backdoor installation. The attack surface is particularly concerning because it can be exploited without authentication, making it accessible to any remote user who can influence the include/require parameters.
Security mitigations for this vulnerability should focus on implementing strict input validation and sanitization for all parameters used in file inclusion operations. The recommended approach involves using allowlists of approved file paths, implementing absolute path resolution for included files, and avoiding direct user input in include/require statements. Organizations should also implement proper parameter validation using functions like filter_var with appropriate filters, and consider using PHP's open_basedir directive to restrict file inclusion to specific directories. Additionally, the application should employ proper error handling to prevent information disclosure that could aid attackers in crafting successful exploitation payloads. This vulnerability aligns with ATT&CK technique T1190, which describes exploiting vulnerabilities in web applications to gain remote code execution capabilities, and T1059, representing command and scripting interpreters used for code execution.