XWiki-Platform - Open Redirect (CVE-2025-32970)

CVE-2025-32970 is an open redirect vulnerability in XWiki Platform versions 13.5-rc-1 through 15.10.12, 16.0.0-rc-1 through 16.4.3, and 16.5.0-rc-1 through 16.7.9, which allows attackers to craft URLs that redirect users to arbitrary external sites. This flaw could be exploited for phishing attacks or to trick users into visiting malicious websites. The issue has been addressed in versions 15.10.13, 16.4.4, and 16.8.0.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-32970 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-32970. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the XWiki WYSIWYG API by sending requests to URLs containing /xwiki/bin/view/Main/ with a crafted xerror parameter set to an external URL, enabling open redirect attacks. This technique is used to redirect users to malicious sites, often as part of phishing campaigns.