XWiki-Platform - SQLi (CVE-2025-52472)

CVE-2025-52472 is a critical vulnerability in XWiki Platform versions 4.3-milestone-1 through 17.4.1 and 16.10.8, where the REST search URL is susceptible to HQL injection via the orderField parameter. This flaw could allow remote attackers to manipulate database queries, potentially leading to unauthorized data access or modification. Although exploitation is somewhat complex due to the parameter's use in multiple query locations, successful attacks could compromise the integrity and confidentiality of the XWiki instance.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-52472 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-52472. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the XWiki REST API endpoint /xwiki/rest/wikis/xwiki/search by injecting malicious HQL statements into the orderField parameter, enabling unauthorized query execution and potential data extraction or remote code execution.