CVE-2025-55749 is an improper access control vulnerability (CWE-284) found in the XWiki platform, specifically in instances deploying the XWiki Jetty package (XJetty). The flaw exists in versions 16.7.0 through 16.10.10, 17.0.0-rc1 through 17.4.3, and 17.5.0 through 17.6.x, where a context is exposed that allows unauthenticated remote attackers to statically access any file located within the webapp/ directory of the deployed XWiki instance. This directory may contain sensitive files, including configuration files or credential stores, which can be read without any authentication or user interaction. The vulnerability arises due to insufficient access control checks on the exposed context, effectively bypassing intended security boundaries. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) reflects that the attack can be performed remotely over the network with low complexity, no privileges, and no user interaction, resulting in a high confidentiality impact. While no known exploits have been reported in the wild, the ease of exploitation and potential for credential disclosure make this a critical risk. The issue was addressed by the XWiki development team in versions 16.10.11, 17.4.4, and 17.7.0 by restricting access to the webapp/ folder context and enforcing proper access controls.

For European organizations, this vulnerability poses a significant risk of unauthorized disclosure of sensitive information, including credentials and configuration files, which could lead to further compromise of internal systems or data breaches. Organizations relying on XWiki for internal documentation, knowledge management, or collaboration may face exposure of confidential business information or user credentials. The lack of authentication requirement means that any attacker with network access to the affected XWiki instance can exploit this vulnerability, increasing the attack surface. This can result in loss of confidentiality, potential lateral movement within networks, and compliance violations under GDPR due to unauthorized data exposure. The impact is particularly critical for sectors with stringent data protection requirements such as finance, healthcare, and government agencies in Europe.

European organizations should immediately verify if their XWiki installations are running affected versions (>=16.7.0 and <16.10.11, >=17.0.0-rc1 and <17.4.4, >=17.5.0 and <17.7.0) with the XJetty package. The primary mitigation is to upgrade to patched versions 16.10.11, 17.4.4, or 17.7.0 as soon as possible. If immediate upgrade is not feasible, organizations should restrict network access to the XWiki webapp, especially blocking untrusted external access to the XWiki Jetty service. Implementing web application firewalls (WAFs) with rules to block unauthorized access to the webapp/ directory can provide temporary protection. Additionally, auditing and rotating any credentials or secrets stored within the webapp/ folder is recommended to mitigate potential exposure. Regularly monitoring logs for unusual access patterns targeting the webapp/ folder can help detect exploitation attempts. Finally, organizations should review their XWiki deployment configurations to ensure minimal exposure of sensitive directories.