XWiki-Platform - SQLi (CVE-2025-32969)

CVE-2025-32969 is a critical vulnerability in XWiki that allows remote, unauthenticated attackers to perform blind SQL injection attacks, even when strict access controls are enabled. Exploiting this flaw could let attackers execute arbitrary SQL statements on the backend database, potentially exposing sensitive data such as password hashes or modifying and deleting database records. This issue affects XWiki versions from 1.8 up to but not including 15.10.16, 16.4.6, and 16.10.1, and poses a significant risk of data breach and system compromise.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-32969 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2025-32969 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the /rest/wikis/xwiki/query endpoint by injecting malicious SQL through the q parameter, often using payloads with union select or time-based functions like sleep() to manipulate backend queries and exfiltrate data.