XWiki-Platform - Open Redirect (CVE-2025-32970)

CVE-2025-32970 is an open redirect vulnerability in XWiki Platform versions 13.5-rc-1 through 15.10.12, 16.0.0-rc-1 through 16.4.3, and 16.5.0-rc-1 through 16.7.9, which allows attackers to craft URLs that redirect users to arbitrary external sites. This flaw could be exploited for phishing attacks or to trick users into visiting malicious websites. The issue has been addressed in versions 15.10.13, 16.4.4, and 16.8.0.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2025-32970 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. CrowdSec network telemetry also shows that exploitation of CVE-2025-32970 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the XWiki WYSIWYG API by sending requests to URLs containing /xwiki/bin/view/Main/ with a crafted xerror parameter set to an external URL, enabling open redirect attacks. This technique is used to redirect users to malicious sites, often as part of phishing campaigns.