• News
  • Positive Technologies helps fix vulnerabilities in XWiki, a generic wiki platform
News

Positive Technologies helps fix vulnerabilities in XWiki, a generic wiki platform

PT SWARM experts Alexey Solovyov and Evgeny Kopytin have identified three vulnerabilities in XWiki, an open-source platform used by companies to create wiki sites.1 Exploiting these security flaws could allow attackers to steal employee data or block access to the system, disrupting business operations. The vendor was notified of the vulnerability under a responsible disclosure policy and released an update.
 

1 A wiki site is a website that enables users to quickly gather and share ideas by creating simple pages and linking them to one another.

Vulnerability PT-2025-30704 (CVE-2025-32429, BDU: 2025-09129) received a critical severity score of 9.3 out of 10 on the CVSS 4.0 scale. The two other flaws were assigned the identifier PT-2025-319422 (CVE-2025-32430, BDU: 2025-06941) and received a score of 6.5.

Threat intelligence from Positive Technologies suggests that at least 21,000 devices running XWiki worldwide may be vulnerable. Most of them are located in Germany (26%), the U.S. (19%), France (18%), Hong Kong (6%), and Russia (5%).
 

2 The vulnerabilities are listed on the dbugs portal, which aggregates data on software and hardware flaws from vendors around the world.

Exploiting vulnerability PT-2025-30704 would crash XWiki, disrupting workflows and potentially damaging client and partner trust. Restoring access to data would require extra resources. Meanwhile, the flaws under PT-2025-31942 could allow an attacker to launch a social engineering attack3 to execute arbitrary code on the server with administrator rights and gain persistence. This would grant the attacker access to confidential data and allow them to move laterally within the corporate network to attack employee workstations and internal servers. Users must update XWiki to the latest version immediately to stay protected.

3 A social engineering attack is a type of cyberattack in which attackers manipulate user behavior to gain access to a system or data.

"By sending a specific HTTP request without authentication, an attacker could exploit incomplete input sanitization to perform SQL (HQL) injection.4 However, CVE-2025-32429 is not a standard vulnerability, as XWiki's architecture limited its impact. An attacker could flood the database with HTTP requests containing a sleep command, overloading XWiki and causing a denial of service."

Alexey Solovyov
Alexey SolovyovHead of Web Application Security Analysis at Positive Technologies

According to Evgeny Kopytin, successful exploitation of PT-2025-31942 required a user to click a specific link, leading to the execution of malicious JavaScript code in their browser. This Cross-Site Scripting (XSS) attack allows an attacker to escalate privileges in XWiki. If the victim was an administrator, attackers could read and edit confidential company data. They could also execute arbitrary code on the server, for example, replacing corporate page addresses with links to phishing websites to steal employee credentials. If the XWiki server was located on the company's local network, the attacker could expand the attack to other devices.

Similar vulnerabilities appear in various solutions with complex architectures and extensive feature sets. Earlier in 2025, PT SWARM specialists Alexey Solovyov and Yan Chizhevsky discovered errors PT-2024-5669PT-2024-5691 in NetCat CMS, which also involved SQL injection and Cross-Site Scripting. Specialized tools are needed to secure the large number of components in active development.

Advanced NTA (NDR) systems, such as PT Network Attack Discovery (PT NAD), detect attempts to exploit such vulnerabilities, while PT NGFW blocks such attacks. Security flaws can be detected at the product development stage using a static code analyzer like PT Application Inspector. Web application firewalls like PT Application Firewall (also available in the cloud version: PT Cloud Application Firewall) are also effective at blocking exploitation attempts.

For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.

4 An SQL (HQL) injection is an attack in which a threat actor uses a snippet of malicious HQL code to inject SQL commands. This can allow the attacker to gain access to confidential information.