CVE-2025-55727 is a critical remote code execution vulnerability identified in the xwikisas xwiki-pro-macros product, specifically affecting versions from 1.0 up to but not including 1.26.5. The vulnerability arises from improper neutralization of directives in dynamically evaluated code, classified under CWE-95 (Eval Injection). The root cause is the lack of proper escaping of the 'width' parameter in the column macro of the XWiki Remote Macros, which are used to facilitate content migration from Confluence. This parameter is directly incorporated into XWiki syntax without sanitization, enabling an attacker who can edit any page or access the CKEditor converter to inject malicious XWiki syntax. When the macro is installed by a user with programming rights, this injection can lead to remote code execution (RCE). Even if programming rights are not present, the vulnerability allows execution of Velocity code with wiki admin privileges, which can lead to full system compromise. The vulnerability is exploitable over the network without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is total (C:H/I:H/A:H), justifying the maximum CVSS score of 10. The issue was patched in version 1.26.5 of xwiki-pro-macros. No known exploits have been reported in the wild yet, but the severity and ease of exploitation make this a critical threat that requires immediate attention.

For European organizations using xwikisas xwiki-pro-macros, this vulnerability poses a severe risk. XWiki is widely used in enterprise collaboration, documentation, and knowledge management, often containing sensitive corporate data. Exploitation can lead to full system compromise, allowing attackers to execute arbitrary code, steal confidential information, alter or delete data, and disrupt business operations. The ability to execute code remotely without authentication means that attackers can leverage this vulnerability to infiltrate networks, potentially moving laterally to other systems. Given the collaborative nature of XWiki, the compromise could also facilitate supply chain attacks or insider threat scenarios. The impact is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, government, and critical infrastructure within Europe. Additionally, the vulnerability could lead to violations of GDPR if personal data is exposed or manipulated, resulting in regulatory penalties and reputational damage.

European organizations should immediately verify their use of xwikisas xwiki-pro-macros and identify affected versions (>=1.0 and <1.26.5). The primary mitigation is to upgrade to version 1.26.5 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should restrict editing permissions to trusted users only, especially limiting programming rights and access to the CKEditor converter. Implement strict input validation and sanitization controls on wiki content where possible. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting the 'width' parameter in the column macro. Regular auditing of wiki pages and logs for unusual activity or unauthorized code injections is recommended. Organizations should also ensure that their incident response teams are prepared to detect and respond to potential exploitation attempts. Finally, monitoring public threat intelligence feeds for emerging exploits related to this CVE will help in proactive defense.