EUVD-2025-28451
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 HUSKY allows PHP Local File Inclusion. This issue affects HUSKY: from n/a through 1.3.7.
Analysis
CVE-2025-52708 is a PHP Local File Inclusion (LFI) vulnerability in RealMag777 HUSKY versions up to 1.3.7, stemming from improper control of filenames in include/require statements. An authenticated attacker with low-to-medium privilege requirements can exploit this remotely to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or system compromise. The CVSS 7.5 score and requirement for authenticated access (PR:L) suggest moderate real-world risk; active exploitation status and POC availability are not confirmed from available data, but the vulnerability class (CWE-98 RFI/LFI) is historically high-value for attackers.
Technical Context
This vulnerability exists in the RealMag777 HUSKY application (CPE: cpe:2:3:realmaag777:husky) and exploits CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program. The root cause is insufficient sanitization or validation of user-supplied input before passing it to PHP include(), require(), include_once(), or require_once() functions. When an attacker controls the filename parameter, they can traverse the filesystem (e.g., using '../' sequences or absolute paths) or, in some configurations, include remote files via stream wrappers (php://, data://, file://, or phar://). The vulnerability affects HUSKY from an unspecified baseline through version 1.3.7, indicating a long-standing exposure window. The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network-accessible attack with high complexity and low privilege requirement, suggesting the vulnerable code path is reachable only through authenticated sessions or specific application states.
Affected Products
RealMag777 HUSKY: Versions from unspecified baseline through 1.3.7 (inclusive). Affected CPE: cpe:2:3:realmaag777:husky:*:*:*:*:*:*:*:*. No specific patch version or fixed-in version is explicitly stated in available data; vendor (RealMag777) advisory or patch notes should be consulted directly. Organizations running HUSKY versions ≤1.3.7 are in scope; those on versions >1.3.7 are presumed patched unless otherwise noted.
Remediation
1) Upgrade RealMag777 HUSKY to a version >1.3.7 immediately upon availability (check vendor release notes at RealMag777 official channels). 2) Until patching is possible, implement strict input validation and sanitization on all user-supplied filename parameters before passing to include/require functions; use allowlists of permitted filenames. 3) Disable PHP stream wrappers (allow_url_include=Off, allow_url_fopen=Off) in php.ini to prevent remote file inclusion. 4) Restrict filesystem access permissions on the web server to minimize exposure if LFI is exploited. 5) Implement Web Application Firewall (WAF) rules to detect and block directory traversal patterns (../, %2e%2e%2f) and suspicious include/require payloads. 6) Monitor application logs for unusual include/require activity or filesystem access patterns. 7) Review vendor advisory at RealMag777 for patch details and additional mitigation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today