A critical remote code execution (RCE) vulnerability has been identified in the XWiki Remote Macros extension, assigned CVE-2025-55729 with a CVSS score of 10.0. This flaw allows an unauthenticated remote attacker to execute arbitrary code on the server by sending a specially crafted request, leading to a complete system compromise. Organizations using the affected extension are at immediate risk of data theft, service disruption, and further network intrusion.

The vulnerability exists due to improper input sanitization of the ac:type parameter within the macro rendering engine. An unauthenticated remote attacker can craft a request containing a malicious payload embedded within this parameter. Because the application fails to properly escape this input, the payload is executed on the server with the permissions of the XWiki application, resulting in remote code execution.

This vulnerability is of critical severity with a CVSS score of 10.0, representing the highest possible risk. Successful exploitation grants an attacker complete control over the affected XWiki server. The potential consequences include a total loss of confidentiality, integrity, and availability. An attacker could exfiltrate all data stored within the wiki, including sensitive corporate information and user credentials; modify or delete critical content; or render the service completely unavailable. Furthermore, a compromised server can be used as a pivot point to launch further attacks against the internal network, significantly expanding the scope of the breach.

Immediate Action: Immediately update the "XWiki Remote Macros" extension to version 1.26.5 or a later version where this vulnerability is patched. This should be treated as an emergency change, prioritizing publicly accessible instances first. After patching, verify that the update was successfully applied and the service is functioning correctly.

Proactive Monitoring: Monitor web application and server logs for requests containing suspicious or malformed data in the ac:type parameter. Review access logs for unusual activity patterns or requests originating from untrusted IP addresses. Implement endpoint detection and response (EDR) solutions to monitor the XWiki server for anomalous process execution, such as the Java process spawning unexpected shells or network connections.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious payloads targeting the ac:type parameter.
• Restrict network access to the XWiki instance to only trusted IP ranges, if possible.
• If the Remote Macros extension is not critical for business operations, consider temporarily disabling it until a patch can be applied.

Public Exploit Available: false

Given the critical severity of CVE-2025-55729, we strongly recommend that organizations apply the vendor-supplied patch immediately. This vulnerability poses a direct and severe threat, potentially allowing for a full compromise of the underlying server. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime candidate for widespread exploitation. All remediation and monitoring efforts should be prioritized to prevent a potentially devastating security incident.