CVE-2025-22133
📋 TL;DR
CVE-2025-22133 is a critical file upload vulnerability in WeGIA web management software that allows unauthenticated attackers to upload malicious .phar files and execute arbitrary code on the server. This affects all WeGIA installations prior to version 3.2.8. Charitable institutions using vulnerable versions are at immediate risk of complete system compromise.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, lateral movement within the network, and complete system destruction.
Likely Case
Remote code execution allowing attackers to install backdoors, steal sensitive donor and beneficiary data, and use the server for further attacks.
If Mitigated
Limited impact with proper file upload validation and execution restrictions, potentially only file upload without code execution.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via simple HTTP POST requests with malicious files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://github.com/nilsonLazarin/WeGIA/security/advisories/GHSA-mjgr-2jxv-v8qf
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.2.8 from the official repository. 3. Replace all files with the new version. 4. Verify the /WeGIA/html/socio/sistema/controller/controla_xlsx.php file has proper file validation.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
allTemporarily block access to the vulnerable PHP file using web server configuration
# For Apache: add to .htaccess
<Files "controla_xlsx.php">
Order Allow,Deny
Deny from all
</Files>
# For Nginx: add to server block
location ~* /controla_xlsx\.php$ {
deny all;
return 403;
}
Disable PHP execution in upload directory
allPrevent PHP file execution in the upload directory
# For Apache: add to .htaccess in upload directory
<FilesMatch "\.(php|phar)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: add to location block
location ~* /uploads/.*\.(php|phar)$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict file upload validation at the web application firewall level
- Restrict network access to WeGIA instances to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if WeGIA version is below 3.2.8 and if the controla_xlsx.php endpoint exists without proper file type validation.Check Version:
Check WeGIA configuration files or admin panel for version information, typically in config files or footer.Verify Fix Applied:
Verify version is 3.2.8 or higher and test that .phar files cannot be uploaded to the vulnerable endpoint.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /WeGIA/html/socio/sistema/controller/controla_xlsx.php with .phar file uploads
- Unusual file creation in upload directories with .phar extension
- PHP execution errors related to uploaded files
Network Indicators:
- Unusual outbound connections from WeGIA server
- HTTP requests with .phar file uploads to the vulnerable endpoint
SIEM Query:
source="web_server" AND (uri="/WeGIA/html/socio/sistema/controller/controla_xlsx.php" AND method="POST" AND file_extension="phar")