CVE-2025-54385 is a high-severity vulnerability affecting the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper input validation (CWE-20) in the XWiki#searchDocuments APIs, which pass queries directly to Hibernate without adequate sanitization. Specifically, in affected versions (16.10.5 and below, and 17.0.0-rc1 up to but not including 17.3.0-rc-1), attackers can exploit this flaw to execute arbitrary SQL queries against Oracle databases by leveraging native HQL functions such as DBMS_XMLGEN or DBMS_XMLQUERY. Although the API enforces a specific SELECT clause, the injection vector exists in other parts of the query, notably the WHERE clause, allowing malicious code injection. This can lead to unauthorized data access, data manipulation, or potentially full compromise of the backend database. The vulnerability has a CVSS 4.0 base score of 8.6, reflecting its high impact and ease of exploitation without user interaction or authentication, but requiring high privileges. The issue was addressed in versions 16.10.6 and 17.3.0-rc-1. No known exploits are currently reported in the wild, but the severity and nature of the flaw make it a critical concern for organizations using vulnerable versions of XWiki Platform with Oracle backends.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on XWiki Platform for internal knowledge management, collaboration, or application runtime services. Exploitation could lead to unauthorized disclosure of sensitive corporate data, intellectual property theft, or data integrity violations. Given that the vulnerability allows execution of arbitrary SQL queries, attackers could exfiltrate confidential information, modify or delete critical data, or disrupt service availability. This could result in operational downtime, regulatory non-compliance (e.g., GDPR violations due to data breaches), reputational damage, and financial losses. Organizations in sectors with high regulatory scrutiny such as finance, healthcare, and government are particularly at risk. The lack of required user interaction and the ability to exploit remotely over the network further increase the threat level. Additionally, since the vulnerability requires high privileges, insider threats or compromised accounts could be leveraged to exploit this flaw, amplifying the risk.

European organizations should prioritize upgrading affected XWiki Platform instances to versions 16.10.6 or 17.3.0-rc-1 and later, where the vulnerability is fixed. Until upgrades are applied, organizations should implement strict access controls to limit who can invoke the XWiki#searchDocuments API, especially restricting high-privilege accounts. Network segmentation and firewall rules should be used to restrict access to the XWiki platform from untrusted networks. Monitoring and logging of database queries and application logs should be enhanced to detect anomalous or unexpected query patterns indicative of exploitation attempts. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious HQL or SQL injection patterns can provide additional protection. Regular security audits and penetration testing focused on injection vulnerabilities in custom or third-party applications are recommended. Finally, organizations should review and harden Oracle database permissions to minimize the impact of any successful injection, for example by limiting the use of powerful native functions like DBMS_XMLGEN and DBMS_XMLQUERY to only trusted users or roles.