CVE-2025-55168 is a critical SQL Injection vulnerability affecting versions of the open-source web management software WeGIA prior to 3.4.8. WeGIA is designed primarily for Portuguese-speaking charitable institutions, providing web-based management tools. The vulnerability exists in the /html/saude/aplicar_medicamento.php endpoint, specifically in the id_fichamedica parameter, which fails to properly neutralize special elements used in SQL commands. This improper input validation allows an unauthenticated attacker with low privileges to inject arbitrary SQL commands directly into the backend database. Exploitation can lead to full compromise of the database's confidentiality, integrity, and availability. Attackers could extract sensitive data, modify or delete records, or disrupt service availability. The CVSS 4.0 score of 9.4 reflects the high severity, with network attack vector, low attack complexity, no user interaction, and no authentication required. The vulnerability affects all versions prior to 3.4.8, which has patched the issue. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make this a high-risk vulnerability that demands immediate attention from users of affected versions. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements in SQL commands, a common and dangerous injection flaw.

For European organizations using WeGIA, especially charitable and non-profit institutions serving Portuguese-speaking communities or collaborating internationally, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive personal data, including medical or beneficiary information, violating GDPR and other data protection regulations. Data integrity could be compromised, undermining trust and operational reliability. Availability impacts could disrupt critical services provided by these organizations, affecting vulnerable populations relying on their support. The lack of authentication requirement and network accessibility means attackers can exploit this remotely without user interaction, increasing the threat landscape. Additionally, reputational damage and potential regulatory penalties could arise from breaches caused by this vulnerability. Organizations that have not upgraded to version 3.4.8 remain exposed to these risks.

Organizations should immediately verify their WeGIA version and upgrade to version 3.4.8 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the id_fichamedica parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters interacting with SQL queries. Employ parameterized queries or prepared statements in the application code to prevent injection. Regularly audit and monitor database logs for suspicious queries or anomalies. Restrict database user privileges to the minimum necessary to limit potential damage. Additionally, perform penetration testing focused on injection flaws to verify the effectiveness of mitigations. Maintain an incident response plan to quickly address any exploitation attempts. Finally, ensure all staff are aware of the vulnerability and the importance of timely patching.