CVE-2025-27604
Published: 07 March 2025
Summary
CVE-2025-27604 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Xwiki Confluence Migrator. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Confluence (T1213.001); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires review and approval of publicly accessible content to ensure sensitive packages are not exposed on the application's homepage to unauthenticated guests.
Implements protections for information accessible from public web servers, preventing unauthorized downloads of sensitive Confluence packages.
Limits actions permitted without identification or authentication, blocking guest access to sensitive package downloads on the public homepage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability publicly exposes Confluence packages (potentially containing sensitive data) via the unauthenticated homepage of the Confluence Migrator Pro app, directly enabling adversaries to collect data from Confluence information repositories.
NVD Description
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7.
Deeper analysisAI
CVE-2025-27604 is a vulnerability in the XWiki Confluence Migrator Pro application, which helps administrators import Confluence packages into XWiki instances. The issue arises because the application's homepage is publicly accessible, enabling unauthenticated guests to download packages that may contain sensitive information. This flaw, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2025-03-07.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows the attacker to download Confluence packages from the public homepage, potentially exposing sensitive data contained within them and resulting in high confidentiality impact.
The vulnerability is fixed in version 1.11.7 of XWiki Confluence Migrator Pro. Mitigation details are available in the GitHub security advisory at https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-3w9f-2pph-j5vc and the corresponding fixing commit at https://github.com/xwikisas/application-confluence-migrator-pro/commit/6ced42b1f341fd0ce6734fc58c7d694da5f365fb.
Details
- CWE(s)