cbcvebase.
CVE-2025-32969
published 2025-04-23

CVE-2025-32969: XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.49%
99.6th percentile
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 1.8 < 15.10.1615.10.16
xwikixwiki>= 16.0.0 < 16.4.616.4.6
xwikixwiki>= 16.5.0 < 16.10.116.10.1
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/rest/wikis/xwiki/query?q=where%20doc.name=length(%27a%27)*org.apache.logging.log4j.util.Chars.SPACE%20or%201%3C%3E%271%5C%27%27%20union%20select%201,2,3,sleep(7)%20%23%27&type=hql&distinct=0
  • Detect exploitation attempts by monitoring GET requests to /rest/wikis/xwiki/query with 'type=hql' parameter and SQL injection patterns (e.g., UNION SELECT, sleep(), comment sequences) in the 'q' parameter.
  • A successful exploitation response will return HTTP 200, contain both 'WikiManager' and '<?xml' in the body, and exhibit a response duration >= 7 seconds (time-based blind SQLi via sleep(7)).
  • The vulnerability is exploitable by unauthenticated (remote, no credentials) users even when 'Prevent unregistered users from viewing pages' and 'Prevent unregistered users from editing pages' options are enabled.
  • Identify XWiki instances exposed on the internet using the Shodan fingerprint 'html:"data-xwiki-reference"' or FOFA fingerprint 'body="data-xwiki-reference"' for attack surface enumeration.
  • ·The PoC payload leverages 'org.apache.logging.log4j.util.Chars.SPACE' as a Java class reference within the HQL context to escape the query boundary — this is specific to XWiki's HQL execution engine and may not trigger standard SQL injection signatures.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.