CVE-2025-62179
📋 TL;DR
CVE-2025-62179 is a SQL injection vulnerability in WeGIA web management software that allows attackers to execute arbitrary SQL commands through the cpf parameter in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint. This can lead to complete database compromise including data theft, modification, or deletion. All WeGIA installations prior to version 3.5.1 are affected.
💻 Affected Systems
- WeGIA
📦 What is this software?
Wegia by Wegia
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation, authentication bypass, and potential remote code execution if database functions allow it.
Likely Case
Unauthorized data access and modification, potential extraction of sensitive user information, and database manipulation.
If Mitigated
Limited impact with proper input validation and WAF rules in place, though SQL injection attempts may still be logged.
🎯 Exploit Status
SQL injection in the cpf parameter is straightforward to exploit with standard SQLi techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.1
Vendor Advisory: https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x36x-x5j4-wfjf
Restart Required: Yes
Instructions:
1. Backup your current WeGIA installation and database. 2. Download WeGIA version 3.5.1 from the official repository. 3. Replace the vulnerable file /html/funcionario/cadastro_funcionario_pessoa_existente.php with the patched version. 4. Restart your web server. 5. Verify the fix by testing the endpoint with SQL injection payloads.
🔧 Temporary Workarounds
WAF Rule Implementation
allImplement web application firewall rules to block SQL injection patterns in the cpf parameter.
Endpoint Restriction
allRestrict access to the vulnerable endpoint using authentication or IP whitelisting.
🧯 If You Can't Patch
- Implement strict input validation for the cpf parameter to only accept valid CPF format (11 digits with optional formatting).
- Deploy a web application firewall with SQL injection detection rules specifically for this endpoint.
🔍 How to Verify
Check if Vulnerable:
Test the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint with SQL injection payloads in the cpf parameter (e.g., ' OR '1'='1).Check Version:
Check the WeGIA version in the application interface or configuration files.Verify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are rejected or properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or parameter manipulation in web server logs
- Requests to the vulnerable endpoint with SQL keywords in parameters
Network Indicators:
- HTTP requests containing SQL injection patterns in the cpf parameter
- Unusual database connection patterns from web server
SIEM Query:
source="web_server" AND uri="/html/funcionario/cadastro_funcionario_pessoa_existente.php" AND (param="cpf" AND value MATCH "(?i)(union|select|insert|update|delete|drop|or|and|--|#|;)")