CVE-2025-26617
Published: 18 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26617 is a SQL injection vulnerability (CWE-89, CWE-284) affecting WeGIA, an open-source web manager for institutions primarily aimed at Portuguese-language users. The flaw exists in the `historico_paciente.php` endpoint, where insufficient input validation allows attackers to execute arbitrary SQL queries, potentially leading to unauthorized access to sensitive information. Published on 2025-02-18, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical.
The vulnerability is exploitable remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables arbitrary SQL execution, granting high-impact access to confidential data (C:H), as well as the ability to modify (I:H) or disrupt (A:H) database operations under unchanged scope (S:U), such as extracting patient records or altering institutional data.
The vulnerability has been addressed in WeGIA version 3.2.14, with all users advised to upgrade promptly. No workarounds are known. Additional details are available in the GitHub security advisory at https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-f654-c5r5-jx77.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing WeGIA web application directly enables T1190 (Exploit Public-Facing Application) for remote unauthenticated initial access and arbitrary database query execution.