CVE-2025-58159 Overview
CVE-2025-58159 is a remote code execution vulnerability in WeGIA, a web-based manager for charitable institutions developed by LabRedesCefetRJ. The flaw exists in versions prior to 3.4.11 and stems from improper validation of uploaded files. Attackers can upload files with arbitrary filenames, including those bearing a .php extension. The application writes uploaded content directly to disk without sanitizing the filename or restricting extensions. An adversary can embed PHP code after spreadsheet content and trigger server-side execution. The issue results from insufficient mitigation of CVE-2025-22133 and has been patched in version 3.4.11.
Critical Impact
Authenticated attackers can achieve arbitrary code execution on the underlying web server, compromising confidentiality, integrity, and availability of charitable institution data.
Affected Products
- WeGIA versions prior to 3.4.11
- Vendor: LabRedesCefetRJ (wegia)
- Component: wegia:wegia
Discovery Timeline
- 2025-08-29 - CVE-2025-58159 published to the National Vulnerability Database (NVD)
- 2025-09-24 - Last updated in NVD database
Technical Details for CVE-2025-58159
Vulnerability Analysis
The vulnerability combines two weaknesses tracked under CWE-94 (Improper Control of Generation of Code) and CWE-434 (Unrestricted Upload of File with Dangerous Type). WeGIA exposes an upload endpoint that accepts spreadsheet files used for bulk data imports. The endpoint accepts user-supplied filenames without validation and writes the payload to a web-accessible directory.
Because the server preserves the attacker-controlled filename and extension, the uploaded artifact can be requested directly through the web server. PHP code appended to a spreadsheet file executes when the file is processed by the PHP interpreter. The EPSS score of approximately 0.95% places this issue in the 76th percentile for exploitation likelihood.
Root Cause
The upload handler fails to enforce an extension allowlist and does not regenerate filenames server-side. Patch CVE-2025-22133, which previously addressed a related upload flaw, did not fully constrain the accepted filename patterns. Attackers bypass the prior mitigation by crafting hybrid files that pass spreadsheet content checks while retaining a .php extension.
Attack Vector
An authenticated user with low privileges submits a multipart upload request to the affected import endpoint. The payload contains a polyglot file: valid spreadsheet headers followed by an embedded <?php ... ?> block, named with a .php extension. After upload, the attacker issues an HTTP GET request to the stored file path, causing the PHP runtime to execute the embedded code under the web server account.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-wj2c-237g-cgqp for vendor technical details.
Detection Methods for CVE-2025-58159
Indicators of Compromise
- Files with .php, .phtml, or double extensions present in WeGIA upload directories such as html/importar_dados/ or related import paths.
- Spreadsheet files (.xlsx, .csv) whose binary content contains PHP tags <?php or <?=.
- Outbound connections from the WeGIA web server to unfamiliar IP addresses shortly after import operations.
- New or modified web shells under directories writable by the PHP-FPM or Apache process owner.
Detection Strategies
- Inspect HTTP POST requests to WeGIA import endpoints for Content-Disposition headers containing filenames ending in executable extensions.
- Hash and compare files in upload directories against an approved baseline to flag unexpected PHP scripts.
- Correlate file creation events in upload paths with subsequent GET requests to the same file from external IPs.
Monitoring Recommendations
- Enable web server access logging for the WeGIA virtual host and forward logs to a centralized analytics platform.
- Monitor process creation events spawned by the PHP interpreter, such as sh, bash, nc, or curl, indicating post-exploitation activity.
- Alert on modifications to PHP files outside scheduled deployment windows.
How to Mitigate CVE-2025-58159
Immediate Actions Required
- Upgrade WeGIA to version 3.4.11 or later without delay.
- Audit upload directories for unauthorized .php files and remove confirmed web shells.
- Rotate credentials and session tokens for all WeGIA user accounts after confirming a clean state.
- Restrict access to the WeGIA administrative interface to trusted networks until patching completes.
Patch Information
The maintainers released a fix in WeGIA 3.4.11. Refer to the GitHub Security Advisory GHSA-wj2c-237g-cgqp for release details and source commits. The patch enforces extension validation and regenerates server-side filenames for uploaded artifacts.
Workarounds
- Configure the web server to deny execution of PHP files within upload directories using Apache <Directory> blocks or Nginx location rules.
- Apply a Web Application Firewall (WAF) rule that blocks multipart uploads where the filename ends in .php, .phtml, .php5, or .phar.
- Run the WeGIA application under a least-privilege account and mount upload directories with the noexec option where supported.
# Nginx configuration to block PHP execution in WeGIA upload paths
location ~* ^/html/importar_dados/.*\.(php|phtml|php5|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
