CVE-2025-52472 is a critical SQL injection vulnerability identified in the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications. The vulnerability affects versions starting from 4.3-milestone-1 up to versions prior to 16.10.9 and 17.0.0-rc-1 up to before 17.4.2. The issue lies in the REST search URL's orderField parameter, which is susceptible to HQL injection due to improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the orderField parameter is inserted twice into the HQL query: once in the select field list and once in the order clause. This dual insertion complicates exploitation because the injected payload must maintain query validity in both locations. Attackers can enclose the intermediate part of the query in single quotes to neutralize them, but the overall query must remain syntactically valid twice. Despite this complexity, the vulnerability allows unauthenticated remote attackers to execute arbitrary HQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been patched in versions 16.10.9, 17.4.2, and 17.5.0. The CVSS 4.0 base score is 9.3, reflecting a critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, and no workarounds are currently available, emphasizing the importance of timely patching.

The impact of CVE-2025-52472 on European organizations is significant due to the critical nature of the vulnerability and the widespread use of XWiki Platform in enterprise and public sector environments. Successful exploitation can lead to unauthorized disclosure of sensitive information, data tampering, or complete system compromise without requiring authentication or user interaction. This could result in data breaches, loss of intellectual property, disruption of business operations, and reputational damage. Given the platform's role in collaboration and documentation, attackers might also leverage this vulnerability to pivot within networks or implant persistent backdoors. European organizations that rely on XWiki for internal knowledge management or customer-facing portals are particularly at risk. The absence of known exploits in the wild currently provides a window for proactive defense, but the critical CVSS score and ease of remote exploitation necessitate urgent remediation to prevent potential attacks.

To mitigate CVE-2025-52472, European organizations should immediately upgrade affected XWiki Platform instances to versions 16.10.9, 17.4.2, or 17.5.0 where the vulnerability has been patched. Since no workarounds exist, patching is the primary defense. Organizations should also audit their deployment configurations to ensure that the REST API endpoints are not unnecessarily exposed to untrusted networks. Implement network-level controls such as web application firewalls (WAFs) with custom rules to detect and block suspicious HQL injection patterns targeting the orderField parameter. Conduct thorough logging and monitoring of REST API access to identify anomalous query patterns indicative of exploitation attempts. Additionally, review and restrict permissions for users and services interacting with the XWiki platform to minimize potential damage from a successful attack. Regularly update and test incident response plans to handle potential exploitation scenarios. Finally, educate developers and administrators on secure coding and parameter validation practices to prevent similar injection flaws in custom extensions or integrations.