xwiki-platform - SQLi (CVE-2025-32969)

CVE-2025-32969 is a critical vulnerability in XWiki that allows remote, unauthenticated attackers to perform blind SQL injection attacks, even when strict access controls are enabled. Exploiting this flaw could let attackers execute arbitrary SQL statements on the backend database, potentially exposing sensitive data such as password hashes or modifying and deleting database records. This issue affects XWiki versions from 1.8 up to but not including 15.10.16, 16.4.6, and 16.10.1, and poses a significant risk of data breach and system compromise.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-32969 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-32969 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the /rest/wikis/xwiki/query endpoint by injecting malicious SQL through the q parameter, often using payloads with union select or time-based functions like sleep() to manipulate backend queries and exfiltrate data.