CVE-2025-58159
📋 TL;DR
CVE-2025-58159 is a critical remote code execution vulnerability in WeGIA web management software for charitable institutions. It allows attackers to upload malicious PHP files that execute arbitrary code on the server. All organizations using WeGIA versions before 3.4.11 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, or use as a foothold for lateral movement within the network.
Likely Case
Webshell installation allowing persistent access, data exfiltration, or cryptocurrency mining.
If Mitigated
Limited impact if proper file upload restrictions and web application firewalls are in place.
🎯 Exploit Status
The vulnerability is similar to CVE-2025-22133 and exploitation requires only web access to the upload functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.11
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wj2c-237g-cgqp
Restart Required: No
Instructions:
1. Backup your WeGIA installation and database. 2. Download version 3.4.11 from the official repository. 3. Replace existing files with the patched version. 4. Verify the update by checking the version in the admin panel.
🔧 Temporary Workarounds
Restrict PHP file uploads via web server
allConfigure web server to block .php file uploads at the server level
# For Apache: Add to .htaccess
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~ \.php$ {
deny all;
}
Implement file upload directory restrictions
linuxMove upload directory outside web root and restrict execution permissions
# Move uploads directory outside web root
mv /var/www/html/uploads /var/uploads
# Set restrictive permissions
chmod 644 /var/uploads/*
chown www-data:www-data /var/uploads
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with file upload filtering rules
- Disable file upload functionality entirely in WeGIA configuration
🔍 How to Verify
Check if Vulnerable:
Check if WeGIA version is below 3.4.11 in the admin panel or by examining version filesCheck Version:
grep -r "version" /path/to/wegia/installation/ | grep -i "3\."Verify Fix Applied:
Confirm version is 3.4.11 or higher and test file upload functionality with PHP files (should be rejected)📡 Detection & Monitoring
Log Indicators:
- Multiple failed .php file upload attempts
- Successful .php file uploads to upload directory
- Unusual POST requests to upload endpoints
Network Indicators:
- HTTP POST requests with .php files to upload endpoints
- Outbound connections from WeGIA server to unknown IPs
SIEM Query:
source="web_logs" AND (uri_path="/upload" OR uri_path="/file/upload") AND (file_extension=".php" OR content_type="application/x-php")