CVE-2025-58745
📋 TL;DR
This vulnerability allows attackers to bypass MIME type validation and upload malicious PHP files disguised as Excel files to WeGIA web servers. Successful exploitation enables remote code execution via webshells. All WeGIA installations before version 3.4.11 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Webshell upload enabling remote command execution, file system access, and potential data exfiltration.
If Mitigated
Attack blocked at web application firewall or file upload prevented by proper validation.
🎯 Exploit Status
Exploit requires access to upload functionality but uses simple magic byte manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.11
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-hq96-gvmx-qrwp
Restart Required: No
Instructions:
1. Backup current installation. 2. Download WeGIA version 3.4.11 from official repository. 3. Replace vulnerable files with patched version. 4. Verify upload functionality works correctly.
🔧 Temporary Workarounds
Disable Excel Upload Endpoint
allTemporarily block access to the vulnerable endpoint via web server configuration.
# Apache: RewriteRule ^/html/socio/sistema/controller/controla_xlsx\.php$ - [F]
# Nginx: location ~ /html/socio/sistema/controller/controla_xlsx\.php$ { return 403; }
Implement WAF Rules
allAdd web application firewall rules to block PHP file uploads with Excel magic bytes.
# ModSecurity rule: SecRule FILES_TMPNAMES "@rx \x50\x4B\x03\x04.*\x3C\x3F\x70\x68\x70" "id:1001,phase:2,deny,msg:'PHP with Excel magic bytes detected'"
🧯 If You Can't Patch
- Implement strict file upload validation including file extension, content type, and magic byte verification.
- Restrict upload directory permissions and disable PHP execution in upload directories.
🔍 How to Verify
Check if Vulnerable:
Check if version is below 3.4.11 and test if PHP files with Excel magic bytes can be uploaded to /html/socio/sistema/controller/controla_xlsx.php.Check Version:
grep -r 'version' /path/to/wegia/installation/ | grep -i '3\.'Verify Fix Applied:
Attempt to upload a PHP file with Excel magic bytes (first 4 bytes: PK\x03\x04) - should be rejected. Verify version shows 3.4.11 or higher.📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts to controla_xlsx.php
- Successful uploads of files with .php extension or Excel magic bytes
- Unusual POST requests to upload endpoint
Network Indicators:
- HTTP POST requests to /html/socio/sistema/controller/controla_xlsx.php with file uploads
- Traffic patterns showing file uploads followed by webshell access
SIEM Query:
source="web_logs" AND uri="/html/socio/sistema/controller/controla_xlsx.php" AND (file_extension="php" OR content_type="application/vnd.ms-excel")