CVE-2025-27603
Published: 07 March 2025
Summary
CVE-2025-27603 is a critical-severity Eval Injection (CWE-95) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to version 1.2.0, which fixes the unescaped translation flaw in the Migration Page template.
Mandates output filtering and encoding for user-supplied content in translations and templates to block arbitrary code injection during page creation.
Requires validation of inputs to the Migration Page template to detect and reject malicious payloads that could exploit the unescaped translation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides arbitrary code execution via code injection in a web application template, directly enabling exploitation for privilege escalation (bypassing programming rights) and use of command/scripting interpreters for execution.
NVD Description
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This…
more
vulnerability is fixed in 1.2.0.
Deeper analysisAI
CVE-2025-27603 is a high-severity arbitrary code execution vulnerability (CWE-95) in the XWiki Confluence Migrator Pro application, which assists administrators in importing Confluence packages into XWiki instances. The flaw arises from an unescaped translation when creating a page using the Migration Page template, allowing code injection. It affects versions prior to 1.2.0 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated user without programming rights can exploit this vulnerability over the network with low complexity and no user interaction required. By creating a page via the Migration Page template and injecting malicious content into the unescaped translation, the attacker achieves arbitrary code execution with high-impact confidentiality, integrity, and availability consequences across a changed scope.
The vulnerability is addressed in version 1.2.0 of XWiki Confluence Migrator Pro. Official advisories and the fixing commit are available on the project's GitHub repository at https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8 and https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d. Security practitioners should upgrade immediately and review access to the Migration Page template.
Details
- CWE(s)