Cyber Resilience

CVE-2025-32429

Critical

Published: 24 July 2025

Published
24 July 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3491 97.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32429 is a critical-severity SQL Injection (CWE-89) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2 contain a SQL injection vulnerability (CWE-89) in the getdeleteddocuments.vm template. The sort parameter is concatenated directly into an ORDER BY clause without sanitization or parameterization, allowing arbitrary SQL to be supplied through this input.

An unauthenticated remote attacker can exploit the flaw over the network by supplying a malicious sort value in a request to the affected template. Successful exploitation grants full control over the database query, enabling extraction, modification, or deletion of data and potentially leading to complete compromise of the confidentiality, integrity, and availability of the XWiki instance.

The vulnerability is resolved in XWiki 16.10.6 and 17.3.0-rc-1. Official patches are documented in the GitHub security advisory GHSA-vr59-gm53-v7cq and the linked commits that introduce proper parameterization of the ORDER BY clause; administrators are advised to upgrade promptly.

The associated EPSS score reached a peak of 0.3813 after disclosure before settling at 0.3491, indicating a clear rise in observed exploitation interest following public release of the CVE.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm.…

more

It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote SQL injection in public-facing XWiki web application directly matches exploitation of public-facing apps (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
9.4 — 16.10.6 · 17.0.0 — 17.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and sanitization of the user-supplied 'sort' parameter before its use in the database ORDER BY clause.

prevent

Remediates the vulnerability by identifying, testing, and deploying the vendor patch that fixes the unsanitized injection in getdeleteddocuments.vm.

detect

Identifies the SQL injection flaw through vulnerability scanning, enabling proactive patching before exploitation.

References