CrowdSec
5/10CrowdSec Score

XWiki-Platform - Information Disclosure (CVE-2025-46554)

Published on30-04-2025
First seen on04-09-2025
Public ExploitCVSS 5.3/10XWiki - XWiki-Platform

204Exploiting IPs reported

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.

CrowdSec analysis

CVE-2025-46554 is a vulnerability in XWiki that allows unauthenticated users to access metadata of any attachment via the REST endpoint, regardless of user permissions. This flaw could enable attackers to gather sensitive information about files stored in private wikis, potentially aiding in further targeted attacks or reconnaissance.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-46554 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-46554. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit this vulnerability by sending unauthenticated GET requests to REST API endpoints containing /rest/wikis/xwiki/spaces/ or /xwiki/rest/wikis/xwiki/spaces/ followed by /attachments, allowing them to enumerate and access metadata of attachments stored in XWiki.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References