CVE-2025-26609
Published: 18 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26609 is a SQL injection vulnerability in the WeGIA open-source web manager application, primarily targeted at Portuguese-language institutional users. The flaw resides in the `familiar_docfamiliar.php` endpoint, enabling attackers to execute arbitrary SQL queries and gain unauthorized access to sensitive information. Associated with CWE-89 (SQL Injection) and CWE-284 (Improper Access Control), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
The vulnerability is exploitable remotely over the network by unauthenticated attackers with no privileges or user interaction required, making it highly accessible. Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data exfiltration, modification, or deletion of sensitive institutional records.
The GitHub security advisory (GHSA-h7jx-ggv8-v2rh) confirms the issue is fixed in WeGIA version 3.2.14, urging all users to upgrade immediately, with no known workarounds available.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web app enables remote unauthenticated exploitation for initial access and database compromise.