XWiki-Platform - Credentials Disclosure (CVE-2025-54125)
1Exploiting IPs reported
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
CrowdSec analysis
CVE-2025-54125 is a high-severity vulnerability in XWiki Platform that allows any user with view rights to export sensitive information, such as passwords and emails stored under non-standard property names, by appending ?xpage=xml to a page URL. This flaw could be exploited by attackers to harvest confidential user data, potentially leading to further compromise or targeted attacks.
CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.
Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2025-54125 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-54125 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-54125 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Attackers exploit this vulnerability by sending GET requests to user profile endpoints such as /bin/view/XWiki/<username>?xpage=xml or /xwiki/bin/view/XWiki/<username>?xpage=xml, which return XML data containing sensitive user information.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.