Cyber Resilience

CVE-2025-29926

HighPublic PoC

Published: 19 March 2025

Published
19 March 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v4 7.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0146 81.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29926 is a high-severity Improper Authorization (CWE-285) vulnerability in Xwiki Xwiki. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

XWiki Platform is affected by an authorization vulnerability in its WikiManager REST API prior to versions 15.10.15, 16.4.6, and 16.10.0. The flaw stems from missing authorization checks (CWE-285 and CWE-862) that allow any user to invoke the API and instantiate a new wiki. The affected component is an optional extension that must be installed manually through the extension manager and is not present in the default XWiki Standard distribution.

An unauthenticated or low-privileged attacker can exploit the issue over the network to create a wiki, elevate themselves to administrator of that wiki, and then leverage the new instance to conduct further attacks against the broader XWiki farm. The CVSS 4.0 score of 7.9 reflects the combination of network attack vector, low complexity, and high subsequent impact on scope, integrity, and availability.

The official XWiki security advisory and the linked GitHub commit indicate that the issue is resolved by upgrading the REST module to one of the three patched releases; administrators are advised to apply the update or remove the WikiManager REST extension if it is not required. The associated EPSS values remain low throughout the observation window and exhibit no material increase after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the…

more

farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authorization flaw in a public-facing WikiManager REST API, directly enabling remote unauthenticated exploitation to create wikis and gain admin privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
5.4 · 5.4.1 — 15.10.15 · 16.0.0 — 16.4.6 · 16.5.0 — 16.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations in the WikiManager REST API to block unauthorized wiki creation and subsequent administrator privilege escalation by any user.

prevent

Requires timely identification, reporting, and patching of the improper authorization flaw to fixed REST module versions (15.10.15, 16.4.6, 16.10.0), eliminating the vulnerability.

prevent

Employs least privilege to restrict unauthenticated users from gaining unnecessary administrator rights on newly created wikis within the XWiki farm.

References