CVE-2025-22133
Published: 07 January 2025
Summary
CVE-2025-22133 is a critical-severity Code Injection (CWE-94) vulnerability in Wegia Wegia. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 38.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of file uploads at the application endpoint to block malicious files like .phar with dangerous extensions or content.
Deploys malicious code protection mechanisms at file upload entry points to scan and prevent execution of uploaded dangerous files such as .phar.
Enforces restrictions on allowed file types and inputs at the upload interface to limit acceptance of executable or dangerous file formats.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing web endpoint allows uploading and executing malicious .phar files (web shells), enabling exploitation of public-facing applications and web shell deployment for remote code execution.
NVD Description
WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar, which can then…
more
be executed by the server. This vulnerability is fixed in 3.2.8.
Deeper analysisAI
CVE-2025-22133 is a critical vulnerability in WeGIA, a web manager for charitable institutions, affecting versions prior to 3.2.8. The flaw exists in the /WeGIA/html/socio/sistema/controller/controla_xlsx.php endpoint, which accepts file uploads without proper validation. This allows the upload of malicious files, such as .phar extensions, that can then be executed by the server. It is associated with CWE-94 (improper control of code generation) and CWE-434 (unrestricted upload of files with dangerous type).
The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating exploitation over the network by low-privileged users with low attack complexity and no user interaction required. Attackers can upload and execute arbitrary malicious files, achieving high-impact remote code execution that compromises confidentiality, integrity, and availability across the affected system's scope.
Mitigation is provided in WeGIA version 3.2.8, which fixes the validation issue. The GitHub security advisory (GHSA-mjgr-2jxv-v8qf) and the patching commit (a08f04de96d3caec85496d7a89a5b82d1960d9dd) detail the resolution and are available at the WeGIA repository. Security practitioners should upgrade immediately to patched versions.
Details
- CWE(s)