How to fix CVE-2025-49251?

Within 24 hours: Inventory all systems running thembay Fana and identify internet-facing instances; implement WAF rules to block suspicious file inclusion patterns. Within 7 days: Disable the Fana component if not operationally critical; segment affected systems from sensitive networks and restrict access to trusted IPs only. Within 30 days: Upgrade to patched version when available; if unavailable, evaluate replacement solutions or maintain strict network isolation with enhanced monitoring.

Is PHP affected by CVE-2025-49251?

A high-severity PHP file inclusion vulnerability in thembay Fana (versions through 1.1.28) allows attackers to read sensitive files from affected systems, potentially exposing credentials, configurations, and proprietary data.

CVE-2025-49251

EUVD-2025-18533 HIGH

2025-06-17 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 22:15 euvd

EUVD-2025-18533

Analysis Generated

Mar 14, 2026 - 22:15 vuln.today

CVE Published

Jun 17, 2025 - 15:15 nvd

HIGH 8.1

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28.

Analysis

PHP Local File Inclusion (LFI) vulnerability in thembay Fana versions through 1.1.28 that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality, integrity, and availability impact, though the 'H' attack complexity suggests exploitation requires specific conditions or knowledge of the application architecture. No publicly confirmed KEV or widespread active exploitation is documented, but the 2025 CVE date indicates this is a recently disclosed vulnerability requiring immediate attention from Fana users.

Technical Context

The vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a class of defects where user-controlled input is passed unsanitized to PHP's include(), require(), include_once(), or require_once() functions. In thembay Fana (a PHP-based application/theme/plugin), an attacker can manipulate filename parameters to point to arbitrary local files on the server filesystem. Unlike Remote File Inclusion (RFI), LFI is constrained to files accessible to the web server process, but can still lead to code execution through techniques such as: log file inclusion (if logs contain attacker-controlled content), session file inclusion, or temporary file inclusion. The affected product identifier would be: cpe:2.3:a:thembay:fana:*:*:*:*:*:*:*:* (versions up to 1.1.28). This vulnerability is particularly dangerous in shared hosting environments where attackers can chain LFI with other attack vectors (e.g., mail header injection to write to log files).

Affected Products

Fana (1.1.28 and earlier)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +40

POC: 0

CVE-2025-49251 vulnerability details – vuln.today

Back

CVE-2025-49251

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-49251

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code