CVE-2025-30361
📋 TL;DR
This vulnerability allows unauthenticated attackers to reset any user's password without verifying the old password, including admin accounts. It affects WeGIA web management software for charitable institutions. Attackers can gain unauthorized access to sensitive systems and data.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WeGIA instance with admin account takeover, leading to data theft, system manipulation, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to user accounts, privilege escalation to admin, and potential data exfiltration from the charitable institution's database.
If Mitigated
Limited impact if strong network segmentation and monitoring are in place, but still allows account compromise within the WeGIA application.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m6qw-r3m9-jf7h
Restart Required: No
Instructions:
1. Backup your current WeGIA installation and database. 2. Download version 3.2.6 from the official repository. 3. Replace the existing files with the patched version. 4. Verify the control.php endpoint now requires old password verification.
🔧 Temporary Workarounds
Block control.php endpoint
allTemporarily block access to the vulnerable endpoint using web server configuration or WAF rules.
# Apache: RewriteRule ^control\.php$ - [F]
# Nginx: location ~ /control\.php$ { return 403; }
Implement IP restriction
allRestrict access to the WeGIA application to trusted IP addresses only.
# Apache: Require ip 192.168.1.0/24
# Nginx: allow 192.168.1.0/24; deny all;
🧯 If You Can't Patch
- Isolate the WeGIA server from the internet and restrict access to trusted networks only.
- Implement strict monitoring and alerting for any password reset attempts or unauthorized access patterns.
🔍 How to Verify
Check if Vulnerable:
Test if you can send a POST request to /control.php with parameters to change a user's password without providing the old password.Check Version:
Check the WeGIA version in the application interface or configuration files.Verify Fix Applied:
Attempt the same password change request and verify it now requires old password verification or fails.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to control.php endpoint
- Multiple password reset attempts for different users
- Login attempts from new IP addresses after password resets
Network Indicators:
- HTTP POST requests to /control.php with password change parameters
- Unusual traffic patterns to the WeGIA application
SIEM Query:
source="web_server" AND uri="/control.php" AND method="POST" AND (params LIKE "%password%" OR params LIKE "%senha%")