CVE-2025-55728 is a critical remote code execution (RCE) vulnerability affecting the xwiki-pro-macros component of the XWiki platform, specifically versions from 1.0 up to but not including 1.26.5. The vulnerability arises due to improper neutralization of directives in dynamically evaluated code, classified under CWE-95 (Eval Injection). The root cause is the lack of proper escaping of the 'classes' parameter in the 'panel' macro. This parameter is directly used in XWiki syntax without sanitization, enabling an attacker with edit permissions on any page to inject malicious XWiki syntax. This injection leads to arbitrary code execution on the server hosting the XWiki instance. The vulnerability requires no authentication (PR:N) and no user interaction (UI:N), making it trivially exploitable remotely over the network (AV:N). The CVSS v3.1 base score is 10.0, indicating maximum severity, with complete impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact make this a high-priority issue. The vendor has addressed the vulnerability in version 1.26.5 by implementing proper escaping of the 'classes' parameter to prevent syntax injection. Organizations running vulnerable versions of xwiki-pro-macros should upgrade immediately to mitigate this risk.

For European organizations using XWiki with the vulnerable xwiki-pro-macros versions, this vulnerability poses a severe risk. Successful exploitation allows attackers to execute arbitrary code on the server, potentially leading to full system compromise. This can result in data breaches, unauthorized data manipulation, service disruption, and lateral movement within the network. Given XWiki's use in collaborative environments, sensitive corporate or governmental information could be exposed or altered. The lack of authentication requirement means that any user with edit rights, which may be broadly granted in some organizations, can exploit this flaw. This increases the attack surface significantly. Additionally, the vulnerability's ability to compromise availability could disrupt critical business processes relying on XWiki for documentation or knowledge management. The critical severity and network exploitable nature make this a high-impact threat for European enterprises, especially those in regulated sectors like finance, healthcare, and government, where data integrity and confidentiality are paramount.

1. Immediate upgrade of xwiki-pro-macros to version 1.26.5 or later, where the vulnerability is patched. 2. Review and restrict edit permissions on XWiki pages to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 3. Implement strict input validation and sanitization policies for any user-supplied parameters in XWiki macros, beyond the vendor patch, to reduce injection risks. 4. Monitor XWiki server logs for unusual syntax or code execution attempts, focusing on the usage of the 'classes' parameter in the panel macro. 5. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious XWiki syntax injection patterns. 6. Conduct regular security audits and penetration tests on XWiki deployments to identify any residual or related vulnerabilities. 7. Isolate XWiki servers in segmented network zones with limited access to critical backend systems to contain potential compromises.