CVE-2025-27140
Published: 24 February 2025
Summary
CVE-2025-27140 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wegia Wegia. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
WeGIA is a web-based manager for charitable institutions, and an OS command injection vulnerability affects the importar_dump.php endpoint in all versions prior to 3.2.15. The flaw, tracked as CWE-78 and CWE-284, permits unauthenticated remote execution of operating-system commands because user-supplied input is passed directly to a system call that moves a temporary file.
An attacker can therefore upload a webshell or run arbitrary code on the server without authentication or user interaction, resulting in full compromise of the confidentiality, integrity Availability of the application and underlying host.
The project’s GitHub security advisory GHSA-xw6w-x28r-2p5c and the associated commit 7d0df8c9a0b8b7d6862bbc23dc729d73e39672a1 state that version 3.2.15 contains the fix; administrators are advised to upgrade immediately.
The EPSS score rose from a low baseline to a peak of 0.1189 on 2026-01-13 before receding to its current value of 0.0221, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5075
Vulnerability details
WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is…
more
basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web app directly enables remote exploitation (T1190), arbitrary command execution via Unix shell (T1059.004), and webshell uploads/deployment (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring installation of the patch in WeGIA version 3.2.15 that fixes the OS command injection in importar_dump.php.
Requires input validation and sanitization at the importar_dump.php endpoint to block malicious payloads in the file move command parameters.
Restricts types, formats, and lengths of inputs to the vulnerable endpoint to exclude OS command injection characters and payloads.