XWiki-Platform - SQLi (CVE-2025-32429)

CVE-2025-32429 is a critical SQL injection vulnerability in XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, where the 'sort' parameter in getdeleteddocuments.vm is improperly handled. This flaw allows remote attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, data manipulation, or full compromise of the underlying database.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-32429 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2025-32429 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the /xwiki/rest/liveData/sources/liveTable/entries endpoint by injecting malicious SQL statements into the sort parameter, often using the sourceParams.template=getdeleteddocuments.vm query string to trigger the vulnerability.