CVE-2025-26616
Published: 18 February 2025
Summary
CVE-2025-26616 is a high-severity Path Traversal (CWE-22) vulnerability in Wegia Wegia. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by validating and sanitizing user-supplied path inputs to the exportar_dump.php endpoint, preventing access to unauthorized files like config.php.
Remediates the specific path traversal flaw through timely patching, such as upgrading WeGIA to version 3.2.14 where the issue is fixed.
Enforces approved access authorizations to information and system resources, blocking unauthorized reads of sensitive config.php containing database credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app directly enables T1190 for remote unauthenticated exploitation; exposure of database credentials in config.php facilitates T1552.001 for unsecured credential access from files.
NVD Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Path Traversal vulnerability was discovered in the WeGIA application, `exportar_dump.php` endpoint. This vulnerability could allow an attacker to gain unauthorized access to sensitive…
more
information stored in `config.php`. `config.php` contains information that could allow direct access to the database. This issue has been addressed in version 3.2.14 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-26616 is a path traversal vulnerability in the WeGIA open-source web manager application, primarily targeted at Portuguese-language institutional users. The flaw resides in the `exportar_dump.php` endpoint, which allows attackers to traverse directories and access sensitive files outside the intended path. Specifically, it enables unauthorized retrieval of `config.php`, a configuration file containing database credentials and other sensitive information that could facilitate direct database access. The vulnerability is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-284 (Improper Access Control), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious requests to the `exportar_dump.php` endpoint, they can read the contents of `config.php`, exposing database connection details. This confidentiality impact could enable subsequent attacks, such as unauthorized data extraction or manipulation from the underlying database, depending on the exposed credentials' privileges.
The GitHub Security Advisory (GHSA-xxqg-p22h-3f32) confirms the issue has been patched in WeGIA version 3.2.14, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)