CVE-2025-30361
Published: 27 March 2025
Summary
CVE-2025-30361 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wegia Wegia. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires verification of the current authenticator or user identity before issuing or changing passwords, directly preventing unauthorized password resets without old password verification.
AC-3 enforces approved access control policies at the application level, blocking unauthenticated access to the control.php password change endpoint.
SI-2 mandates timely identification, testing, and installation of software patches, directly addressing this CVE by upgrading to the fixed version 3.2.6.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing web app (control.php) directly enables T1190 for initial access via crafted requests and T1098 for unauthorized account manipulation (password changes without verification).
NVD Description
WeGIA is a Web manager for charitable institutions. A security vulnerability was identified in versions prior to 3.2.6, where it is possible to change a user's password without verifying the old password. This issue exists in the control.php endpoint and…
more
allows unauthorized attackers to bypass authentication and authorization mechanisms to reset the password of any user, including admin accounts. Version 3.2.6 fixes the issue.
Deeper analysisAI
CVE-2025-30361 is a critical authentication bypass vulnerability affecting WeGIA, an open-source web manager for charitable institutions, in versions prior to 3.2.6. The flaw resides in the control.php endpoint, where it is possible to change any user's password without verifying the old password. This improper authentication mechanism, mapped to CWE-287, enables attackers to circumvent both authentication and authorization controls. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
Any unauthenticated attacker with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests to the control.php endpoint, they can reset the password of arbitrary users, including administrative accounts, granting full unauthorized access to the application and potentially the underlying systems or data.
The GitHub security advisory (GHSA-m6qw-r3m9-jf7h) confirms that WeGIA version 3.2.6 addresses and fixes this issue, recommending immediate upgrades for affected installations. No additional workarounds are specified in the available references.
Details
- CWE(s)