CVE-2025-54058 is a critical SQL Injection vulnerability identified in the open-source web management software WeGIA, developed by LabRedesCefetRJ. WeGIA is primarily targeted at Portuguese-speaking charitable institutions, providing web management functionalities. The vulnerability exists in versions prior to 3.4.6 and specifically affects the `idatendido_familiares` parameter within the `/html/funcionario/dependente_editarEndereco.php` endpoint. Due to improper neutralization of special elements in SQL commands (CWE-89), an attacker can manipulate the SQL query executed by the application. This manipulation allows unauthorized access to sensitive database information, including table names and potentially sensitive data stored within the database. The vulnerability does not require user interaction and can be exploited remotely without authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 base score of 9.4 reflects the criticality of this flaw, highlighting high impact on confidentiality, integrity, and availability, as well as ease of exploitation. Although no known exploits are currently reported in the wild, the severity and nature of the vulnerability make it a significant risk. Version 3.4.6 of WeGIA addresses this issue by properly sanitizing the vulnerable parameter, mitigating the risk of SQL injection attacks.

For European organizations, especially charitable institutions or non-profits using WeGIA for web management, this vulnerability poses a severe risk. Exploitation could lead to unauthorized disclosure of sensitive personal data, including donor information, beneficiary details, and internal organizational data. This could result in violations of the EU General Data Protection Regulation (GDPR), leading to legal penalties and reputational damage. Furthermore, attackers could alter or delete critical data, disrupting organizational operations and trust. The ability to remotely exploit this vulnerability without authentication increases the attack surface, potentially allowing widespread compromise of affected systems. Given the focus on Portuguese language and charitable institutions, organizations in Portugal and other Portuguese-speaking communities within Europe are particularly at risk. Additionally, the exposure of internal database schema information could facilitate further targeted attacks, including privilege escalation or lateral movement within the network.

Organizations using WeGIA should immediately upgrade to version 3.4.6 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the `idatendido_familiares` parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Employ parameterized queries or prepared statements in the application code to prevent injection attacks. Regularly audit and monitor database access logs for suspicious queries or anomalous activities. Additionally, perform security assessments and penetration testing focusing on injection flaws to identify any residual vulnerabilities. Organizations should also review and update their incident response plans to handle potential data breaches resulting from exploitation of this vulnerability.