CVE-2025-54062 is a critical SQL Injection vulnerability affecting the WeGIA web management platform developed by LabRedesCefetRJ. WeGIA is an open-source web manager primarily targeting Portuguese-speaking charitable institutions. The vulnerability exists in versions prior to 3.4.6, specifically in the /html/funcionario/profile_dependente.php endpoint within the id_dependente parameter. Improper neutralization of special elements in this parameter allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized data access, data modification, or deletion, thereby compromising the confidentiality, integrity, and availability of the backend database. The vulnerability requires no user interaction and can be exploited remotely over the network with low attack complexity and no privileges required, as indicated by the CVSS 4.0 vector AV:N/AC:L/PR:L/UI:N. The vulnerability affects a critical component of the application that manages dependent profiles, which likely contains sensitive personal and organizational data. Although no known exploits are currently reported in the wild, the high CVSS score of 9.4 reflects the severe potential impact. The issue is resolved in version 3.4.6 of WeGIA, which properly sanitizes the id_dependente parameter to prevent SQL Injection attacks.

For European organizations, especially charitable institutions or NGOs using WeGIA or similar open-source management platforms, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive personal data of dependents and employees, violating GDPR and other data protection regulations. Data integrity could be compromised by unauthorized modification or deletion of records, disrupting organizational operations and trust. Availability of the service could also be impacted if attackers execute destructive SQL commands or cause database corruption. Given the focus on Portuguese language and charitable institutions, organizations in Portugal and other Portuguese-speaking communities in Europe are particularly at risk. The breach of sensitive data could lead to reputational damage, regulatory fines, and operational disruptions. Additionally, attackers could leverage the compromised database as a foothold for further network intrusion or lateral movement within the organization.

European organizations using WeGIA should immediately verify their version and upgrade to version 3.4.6 or later to apply the official patch that addresses this SQL Injection vulnerability. Until the upgrade is applied, organizations should implement Web Application Firewall (WAF) rules to detect and block malicious SQL payloads targeting the id_dependente parameter. Input validation and parameterized queries should be enforced in any custom code or integrations interacting with WeGIA. Regular database backups should be maintained to enable recovery in case of data corruption or deletion. Organizations should also conduct security audits and penetration testing focused on injection flaws. Monitoring of application logs for suspicious query patterns and failed SQL commands can help detect attempted exploitation. Finally, organizations should review user privileges to ensure least privilege principles are applied, limiting the impact of potential exploitation.