A critical vulnerability has been identified in the WeGIA web manager software, resulting from an incomplete fix for a previous issue. This flaw allows an attacker to upload a malicious file disguised as a legitimate document, which can lead to remote code execution. Successful exploitation could result in a complete system compromise, leading to data theft, service disruption, and significant reputational damage for the affected charitable institution.

This is a critical arbitrary file upload vulnerability that exists due to an incomplete patch for a prior vulnerability, CVE-2025-22133. The application's security mechanism for file uploads is insufficient, as it only validates the MIME type of the file. An attacker can craft a malicious script (e.g., a PHP web shell) and manipulate its MIME type to impersonate an allowed file type, such as an Excel spreadsheet. Upon uploading the malicious file, the attacker can then access it via a URL and execute arbitrary code on the server with the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the extreme risk it poses to the organization. A successful exploit grants an attacker Remote Code Execution (RCE) capabilities, effectively giving them full control over the affected server. The potential consequences include a severe data breach of sensitive donor and institutional information, financial theft, complete service disruption, and significant reputational harm. The compromised server could also be used as a pivot point to launch further attacks against the internal network.

Immediate Action: Immediately apply the security updates provided by the vendor. Upgrade all instances of WeGIA is a Web manager for charitable Multiple Products to the latest, patched version to fully remediate the vulnerability.

Proactive Monitoring: Review web server and application access logs for any suspicious file upload attempts, particularly POST requests to upload endpoints containing files with unexpected extensions (e.g., .php, .jsp, .aspx). Monitor for unusual outbound network connections from the web server, which could indicate a web shell communicating with a command-and-control server. Implement File Integrity Monitoring (FIM) to detect the creation of unauthorized files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules to block the upload of executable file types. If the functionality is not essential, temporarily disable the file upload feature entirely. Ensure the web application runs with the lowest possible privileges and cannot write files to executable directories.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the high potential for a full system compromise, organizations must treat this vulnerability with the highest priority. The immediate application of the vendor-supplied patch is the only effective method of remediation. Although this vulnerability is not yet on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity and nature as a patch bypass indicate a high probability of future exploitation. We strongly recommend patching all affected systems immediately and concurrently hunting for any signs of prior compromise.