CVE-2025-58745
Published: 08 September 2025
Summary
CVE-2025-58745 is a critical-severity Code Injection (CWE-94) vulnerability in Wegia Wegia. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of information inputs like file uploads to prevent bypass of MIME checks via magic bytes, directly blocking arbitrary PHP webshell uploads.
SI-2 requires timely remediation of flaws such as this file upload vulnerability by applying patches like the update to WeGIA 3.4.11.
SI-3 deploys malicious code protection at entry points to scan and eradicate uploaded webshells disguised as Excel files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload bypass enables exploitation of public-facing web application (T1190) to upload web shells (T1505.003) disguised with Excel magic bytes, leading to RCE.
NVD Description
WeGIA is a Web manager for charitable institutions. The fix for CVE-2025-22133 was not enough to remediate the arbitrary file upload vulnerability. The WeGIA only check MIME types for Excel files at endpoint `/html/socio/sistema/controller/controla_xlsx.php`, which can be bypassed by using…
more
magic bytes of Excel file in a PHP file. As a result, attacker can upload webshell to the server for remote code execution. Version 3.4.11 contains an updated fix.
Deeper analysisAI
CVE-2025-58745 is an arbitrary file upload vulnerability in WeGIA, an open-source web manager for charitable institutions. The issue stems from an insufficient fix for the prior CVE-2025-22133, where WeGIA's MIME type checks for Excel files at the endpoint `/html/socio/sistema/controller/controla_xlsx.php` can be bypassed. Attackers can craft a PHP file with Excel magic bytes to evade detection, enabling webshell uploads. The vulnerability affects WeGIA versions prior to 3.4.11 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), linked to CWEs-94 (code injection) and CWE-434 (unrestricted upload).
Low-privileged remote users (PR:L) can exploit this over the network with low complexity and no user interaction. By uploading a malicious PHP file disguised as an Excel spreadsheet, attackers gain remote code execution on the server, achieving high confidentiality, integrity, and availability impacts with changed scope.
The GitHub Security Advisory (GHSA-hq96-gvmx-qrwp) recommends updating to WeGIA version 3.4.11, which includes a proper fix for the file upload validation bypass.
Details
- CWE(s)