Cyber Resilience

CVE-2025-27140

CriticalPublic PoCRCE

Published: 24 February 2025

Published
24 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0221 84.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27140 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wegia Wegia. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

WeGIA is a web-based manager for charitable institutions, and an OS command injection vulnerability affects the importar_dump.php endpoint in all versions prior to 3.2.15. The flaw, tracked as CWE-78 and CWE-284, permits unauthenticated remote execution of operating-system commands because user-supplied input is passed directly to a system call that moves a temporary file.

An attacker can therefore upload a webshell or run arbitrary code on the server without authentication or user interaction, resulting in full compromise of the confidentiality, integrity Availability of the application and underlying host.

The project’s GitHub security advisory GHSA-xw6w-x28r-2p5c and the associated commit 7d0df8c9a0b8b7d6862bbc23dc729d73e39672a1 state that version 3.2.15 contains the fix; administrators are advised to upgrade immediately.

The EPSS score rose from a low baseline to a peak of 0.1189 on 2026-01-13 before receding to its current value of 0.0221, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is…

more

basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

OS command injection in public-facing web app directly enables remote exploitation (T1190), arbitrary command execution via Unix shell (T1059.004), and webshell uploads/deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26613Same product: Wegia Wegia
CVE-2026-28409Same product: Wegia Wegia
CVE-2025-58745Same product: Wegia Wegia
CVE-2025-26617Same product: Wegia Wegia
CVE-2025-26609Same product: Wegia Wegia
CVE-2025-58159Same product: Wegia Wegia
CVE-2025-22133Same product: Wegia Wegia
CVE-2025-26608Same product: Wegia Wegia
CVE-2025-26607Same product: Wegia Wegia
CVE-2025-26611Same product: Wegia Wegia

Affected Assets

wegia
wegia
≤ 3.2.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring installation of the patch in WeGIA version 3.2.15 that fixes the OS command injection in importar_dump.php.

prevent

Requires input validation and sanitization at the importar_dump.php endpoint to block malicious payloads in the file move command parameters.

prevent

Restricts types, formats, and lengths of inputs to the vulnerable endpoint to exclude OS command injection characters and payloads.

References