XWiki-Platform - SQLi (CVE-2025-32429)

CVE-2025-32429 is a critical SQL injection vulnerability in XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, where the 'sort' parameter in getdeleteddocuments.vm is improperly handled. This flaw allows remote attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, data manipulation, or full compromise of the underlying database.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-32429 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-32429 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the /xwiki/rest/liveData/sources/liveTable/entries endpoint by injecting malicious SQL statements into the sort parameter, often using the sourceParams.template=getdeleteddocuments.vm query string to trigger the vulnerability.