CVE-2025-32429 is a critical SQL Injection vulnerability affecting the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability exists in versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2. Specifically, the flaw arises from improper neutralization of special elements in the 'sort' parameter of the getdeleteddocuments.vm endpoint. This parameter is directly injected into an SQL ORDER BY clause without proper sanitization or validation, allowing an unauthenticated attacker to manipulate the SQL query structure. Because the injection point is in the ORDER BY clause, attackers can craft malicious input to alter query execution, potentially extracting sensitive data, modifying database contents, or causing denial of service by disrupting normal database operations. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS 4.0 score of 9.3 (critical) reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. The issue has been addressed in versions 16.10.6 and 17.3.0-rc-1, where proper input validation and sanitization have been implemented to prevent injection. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a significant threat to any organization running vulnerable versions of XWiki Platform.

For European organizations using affected versions of XWiki Platform, this vulnerability poses a severe risk. Successful exploitation could lead to unauthorized data disclosure, including sensitive corporate or personal information stored in the wiki databases. Data integrity could be compromised by unauthorized modifications or deletions, potentially disrupting business processes reliant on accurate documentation. Availability impacts could arise from crafted queries causing database crashes or resource exhaustion, leading to denial of service. Given that XWiki is often used for internal knowledge management, the breach could facilitate lateral movement within networks or provide attackers with footholds for further attacks. The lack of authentication requirement increases the attack surface, allowing external threat actors to target exposed XWiki instances directly. This is particularly concerning for sectors with strict data protection regulations such as GDPR, where data breaches can result in significant legal and financial penalties. Additionally, organizations in critical infrastructure, government, and research sectors using XWiki may face heightened risks due to the strategic value of their information.

European organizations should immediately assess their XWiki Platform deployments to identify affected versions. Upgrading to versions 16.10.6 or later (including 17.3.0-rc-1 and beyond) is the primary and most effective mitigation. Where immediate upgrade is not feasible, organizations should implement strict network-level access controls to restrict access to the vulnerable endpoint, such as IP whitelisting or VPN-only access. Web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns in the 'sort' parameter can provide temporary protection. Regularly monitoring logs for unusual query parameters or database errors related to getdeleteddocuments.vm is recommended to detect potential exploitation attempts. Additionally, organizations should conduct security audits and penetration testing focused on SQL injection vectors within their XWiki instances. Backup and recovery procedures should be reviewed and tested to ensure rapid restoration in case of data compromise. Finally, educating developers and administrators about secure coding practices and input validation can help prevent similar vulnerabilities in custom extensions or future versions.