A critical remote code execution vulnerability has been identified in the XWiki Remote Macros extension, assigned CVE-2025-55728 with a CVSS score of 10.0. This flaw allows an unauthenticated attacker to take complete control of an affected XWiki server by sending a specially crafted request. Successful exploitation could lead to total system compromise, data theft, and significant operational disruption.

The vulnerability is a remote code execution (RCE) flaw caused by improper input validation. Specifically, the classes parameter within a rendering macro is not properly sanitized or escaped before being processed. An unauthenticated remote attacker can inject malicious script code (e.g., Groovy or Velocity script) into this parameter. When the XWiki server renders the macro, it executes the injected script with the full permissions of the XWiki application, leading to a complete compromise of the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. A successful exploit grants an attacker complete control over the XWiki server, allowing them to read, modify, or delete all data stored within the wiki, including sensitive corporate information, intellectual property, and user credentials. The attacker could also use the compromised server as a pivot point to attack other systems within the network, install ransomware, or exfiltrate data, leading to severe financial losses, reputational damage, and potential regulatory penalties.

Immediate Action: Immediately update the XWiki Remote Macros extension to the patched version, 1.26.5 or later, as recommended by the vendor. Before and after applying the patch, review server access logs and application logs for any signs of compromise or suspicious activity related to the exploitation of this vulnerability.

Proactive Monitoring: Implement enhanced monitoring of web server and application logs for unusual requests targeting XWiki pages that utilize remote macros. Specifically, search for requests containing script-like syntax or suspicious payloads within the classes parameter. Monitor the XWiki server for unexpected outbound network connections, new processes being spawned by the XWiki service account, or unauthorized file modifications.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious payloads targeting the vulnerable classes parameter.
• If the functionality is not business-critical, temporarily disable the XWiki Remote Macros extension until it can be safely updated.
• Restrict network access to the XWiki instance to only trusted IP addresses and internal users to reduce the attack surface.

Public Exploit Available: false

Given the critical CVSS score of 10.0, this vulnerability poses a severe and immediate threat to the organization. We strongly recommend treating this as an emergency and applying the vendor-supplied patch to all affected systems without delay. Although this CVE is not currently listed on the CISA KEV catalog, vulnerabilities of this severity are prime candidates for inclusion once widespread exploitation begins. Organizations must prioritize patching to prevent a full system compromise.