CVE-2025-61665 is a vulnerability classified under CWE-287 (Improper Authentication) and CWE-200 (Information Exposure) found in WeGIA, an open source web management system tailored for charitable institutions. The flaw exists in versions 3.4.12 and earlier, specifically in the get_relatorios_socios.php endpoint, which handles reports related to members. Due to broken access control, this endpoint does not enforce authentication or authorization checks, allowing any unauthenticated attacker to retrieve sensitive personal and financial information of members. The vulnerability is remotely exploitable over the network without any user interaction or privileges, making it highly accessible to attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N) highlights that the attack requires no authentication, has low complexity, and results in high confidentiality impact with limited integrity and availability impact. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a critical threat. The vendor has addressed this issue in version 3.5.0 by implementing proper authentication and authorization controls on the vulnerable endpoint. Organizations running affected versions should prioritize upgrading and reviewing access controls to prevent unauthorized data disclosure.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive personal and financial data of members managed through WeGIA. Given the focus on charitable institutions, the exposure of donor and beneficiary information could lead to privacy violations, reputational damage, and regulatory penalties under GDPR and other data protection laws. Unauthorized data access could also facilitate identity theft, fraud, or targeted phishing attacks. The lack of authentication requirements means attackers can exploit this remotely without any credentials, increasing the likelihood of exploitation. The impact is particularly severe for organizations that rely heavily on WeGIA for managing sensitive stakeholder information. Additionally, the breach of trust could undermine donor confidence and affect funding. The vulnerability does not directly impact system integrity or availability but the confidentiality breach alone warrants urgent remediation.

European organizations should immediately upgrade WeGIA to version 3.5.0 or later, where the vulnerability is fixed. Until upgrade is possible, restrict network access to the get_relatorios_socios.php endpoint using firewall rules or web application firewalls (WAFs) to block unauthenticated requests. Conduct thorough access control audits on all endpoints handling sensitive data to ensure proper authentication and authorization mechanisms are in place. Implement logging and monitoring to detect any unusual access patterns to sensitive reports. Educate staff about the risks and ensure incident response plans are updated to handle potential data breaches. If feasible, perform penetration testing to verify that no unauthorized access is possible post-mitigation. Finally, review data retention policies to minimize the amount of sensitive data stored and ensure compliance with GDPR requirements.