CVE-2025-61603 is a critical SQL Injection vulnerability affecting WeGIA, a web management platform used by charitable institutions, developed by LabRedesCefetRJ. The vulnerability exists in versions 3.4.12 and below, specifically in the /controle/control.php endpoint within the 'descricao' parameter. Improper neutralization of special elements in this parameter allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized access, modification, or deletion of database records, compromising confidentiality, integrity, and availability of the underlying data. The vulnerability requires no user interaction and can be exploited remotely without authentication, making it highly dangerous. The CVSS 4.0 score is 9.4 (critical), reflecting the ease of exploitation and the severe impact on the affected systems. The issue is resolved in version 3.5.0 of WeGIA. No known exploits are currently reported in the wild, but the high severity and nature of the vulnerability suggest that exploitation attempts could emerge rapidly once public details are widely known.

For European organizations, particularly charitable institutions or NGOs using WeGIA for web management, this vulnerability poses a significant risk. Exploitation could lead to unauthorized data disclosure, including sensitive donor or beneficiary information, damaging privacy compliance under GDPR. Data integrity could be compromised, leading to misinformation or disruption of organizational operations. Availability of services could also be affected if attackers delete or corrupt database content. The reputational damage and potential regulatory penalties from data breaches could be substantial. Given the critical severity and remote exploitability without authentication, European entities using affected versions are at high risk of targeted or opportunistic attacks, especially as attackers often focus on sectors handling sensitive personal data.

Organizations should immediately verify their WeGIA version and upgrade to version 3.5.0 or later, where the vulnerability is patched. If immediate upgrade is not feasible, implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'descricao' parameter in /controle/control.php. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Employ parameterized queries or prepared statements in the application code to prevent injection. Regularly audit and monitor database logs for suspicious queries or anomalies. Additionally, restrict database user permissions to the minimum necessary to limit the impact of any successful injection. Organizations should also review and update incident response plans to address potential exploitation scenarios related to this vulnerability.