CVE-2025-26610
Published: 18 February 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-26610 is a SQL injection vulnerability (CWE-89) affecting WeGIA, an open source Web Manager for Institutions primarily focused on Portuguese language users. The issue resides in the `restaurar_produto_desocultar.php` endpoint, where an authorized attacker can execute arbitrary SQL queries to access sensitive information. Published on 2025-02-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited remotely over the network with low attack complexity, requiring no privileges (PR:N), no user interaction, and no special scoping changes. Despite the description noting an "authorized attacker," the CVSS vector suggests unauthenticated access is feasible, allowing arbitrary SQL execution that could lead to data exfiltration, modification, or denial of service on the underlying database.
The vulnerability has been addressed in WeGIA version 3.2.13, and all users are strongly advised to upgrade. No workarounds are available. For full details, refer to the GitHub Security Advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-6p7c-9hcx-jpqj.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vuln in public-facing web app directly enables T1190 (Exploit Public-Facing Application); arbitrary SQL queries facilitate T1213.006 (Databases) for sensitive data access, T1565.001 (Stored Data Manipulation) for modifications, and T1485 (Data Destruction) for DoS via DB operations.