CVE-2025-54990 is a vulnerability identified in the XWiki AdminTools application-admintools component, specifically affecting versions prior to 1.1. The root cause is incorrect default permissions (CWE-276) that allow users without administrative privileges to access the AdminTools.SpammedPages page. Although these non-admin users cannot view any sensitive data on the page, the page itself remains accessible, which could potentially aid attackers in reconnaissance or information gathering about the system's administrative tools. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its exposure risk. The issue was addressed and patched in version 1.1 by properly restricting view permissions to members of the XWikiAdminGroup only. As a temporary mitigation, administrators can manually restrict view rights on the AdminTools space to the XWikiAdminGroup. The CVSS v3.1 base score is 5.3, indicating a medium severity level primarily due to the confidentiality impact, with no effect on integrity or availability. No known exploits have been reported in the wild, but the vulnerability's presence in publicly accessible wiki instances could facilitate information disclosure or aid in further attacks if combined with other vulnerabilities.

For European organizations using XWiki with the AdminTools application-admintools component in versions prior to 1.1, this vulnerability poses a moderate risk. While direct data leakage is not evident, unauthorized access to the AdminTools.SpammedPages page could enable attackers or unauthorized users to gain insights into the administrative structure or spam management processes, potentially aiding in targeted attacks or social engineering campaigns. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance risks if unauthorized access leads to further exploitation. Additionally, publicly accessible XWiki instances used for collaboration or documentation could be targeted by attackers to gather intelligence. The vulnerability's remote and unauthenticated nature increases exposure, especially for organizations with externally facing wiki services. However, the lack of integrity or availability impact limits the potential for direct disruption or data manipulation.

European organizations should immediately upgrade the XWiki AdminTools application-admintools component to version 1.1 or later, where the vulnerability is patched. If immediate upgrading is not feasible, administrators must manually restrict the view rights of the AdminTools space to the XWikiAdminGroup to prevent unauthorized access. Regularly audit user permissions on wiki spaces to ensure no unintended access is granted. Implement network-level access controls to limit exposure of the XWiki instance to trusted users or internal networks where possible. Monitor access logs for unusual or unauthorized access attempts to the AdminTools.SpammedPages page. Incorporate this vulnerability into vulnerability management and patching cycles to ensure timely remediation. Additionally, educate administrators about the risks of default permissions and the importance of least privilege principles in wiki and collaboration platforms.