CVE-2025-58159
Published: 29 August 2025
Summary
CVE-2025-58159 is a critical-severity Code Injection (CWE-94) vulnerability in Wegia Wegia. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of uploaded files to prevent arbitrary filenames, dangerous extensions like .php, and appended malicious PHP code from being accepted and executed.
Enforces restrictions on file upload types and extensions, blocking unrestricted uploads of executable files that lead to remote code execution.
Mandates timely flaw remediation, such as applying the patch in WeGIA 3.4.11, to fix the improper file validation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app enables RCE via malicious PHP payload (web shell).
NVD Description
WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with…
more
a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11.
Deeper analysisAI
CVE-2025-58159 is a remote code execution vulnerability in WeGIA, a web manager for charitable institutions, affecting versions prior to 3.4.11. The flaw arises from improper validation of uploaded files, which permits attackers to upload files with arbitrary filenames, including those ending in .php. These files are written directly to disk without sufficient sanitization or extension restrictions, allowing a spreadsheet file appended with PHP code to be executed on the server and achieve arbitrary code execution. This issue results from inadequate mitigation of CVE-2025-22133 and is associated with CWE-94 (code injection) and CWE-434 (unrestricted upload of files).
The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 9.9. An authenticated attacker with minimal access could thus execute arbitrary code on the server.
The issue has been patched in WeGIA version 3.4.11. Additional details on the advisory are available at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-wj2c-237g-cgqp.
Details
- CWE(s)