XWiki-Platform - SQLi (CVE-2025-52472)

CVE-2025-52472 is a critical vulnerability in XWiki Platform versions 4.3-milestone-1 through 17.4.1 and 16.10.8, where the REST search URL is susceptible to HQL injection via the orderField parameter. This flaw could allow remote attackers to manipulate database queries, potentially leading to unauthorized data access or modification. Although exploitation is somewhat complex due to the parameter's use in multiple query locations, successful attacks could compromise the integrity and confidentiality of the XWiki instance.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

CrowdSec network observations suggest that most exploitation of CVE-2025-52472 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-52472 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-52472 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the XWiki REST API endpoint /xwiki/rest/wikis/xwiki/search by injecting malicious HQL statements into the orderField parameter, enabling unauthorized query execution and potential data extraction or remote code execution.