CVE-2025-27140
Published: 24 February 2025
Summary
CVE-2025-27140 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring installation of the patch in WeGIA version 3.2.15 that fixes the OS command injection in importar_dump.php.
Requires input validation and sanitization at the importar_dump.php endpoint to block malicious payloads in the file move command parameters.
Restricts types, formats, and lengths of inputs to the vulnerable endpoint to exclude OS command injection characters and payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web app directly enables remote exploitation (T1190), arbitrary command execution via Unix shell (T1059.004), and webshell uploads/deployment (T1505.003).
NVD Description
WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is…
more
basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.
Deeper analysisAI
CVE-2025-27140 is an OS Command Injection vulnerability (CWE-78, CWE-284) in the WeGIA web application, a manager for charitable institutions. The flaw affects versions prior to 3.2.15 and is located in the `importar_dump.php` endpoint, where inadequate input sanitization on a file move command enables attackers to inject and execute arbitrary operating system commands remotely.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable by any unauthenticated attacker accessible over the network, requiring low complexity and no user interaction. Exploitation allows remote code execution, including webshell uploads by manipulating the temporary file move operation, potentially leading to full server compromise with high impacts on confidentiality, integrity, and availability.
Version 3.2.15 of WeGIA patches the issue. Additional mitigation details are provided in the GitHub security advisory (GHSA-xw6w-x28r-2p5c) and the specific patching commit (7d0df8c9a0b8b7d6862bbc23dc729d73e39672a1).
Details
- CWE(s)