Emerging wiki configuration exposure – path traversal surge not in KEV (yet)
The CrowdSec Network has detected a rapid increase in exploitation attempts targeting CVE-2025-55748, a path traversal vulnerability in XWiki Platform that allows attackers to read sensitive configuration files and potentially gain deeper access to internal systems.
Key findings about CVE-2025-55748
- Vulnerability published September 3, 2025; CrowdSec began observing exploitation on October 31, 2025, with sustained escalation through November 11.
- 143 exploitation signals over 8 tracked days (31 October–November 11), with a peak of 35 in a single day and up to 13 distinct attacking sources
- Not listed in the CISA Known Exploitation Vulnerability (KEV) catalog at the time of writing, heightening the chance organizations under‑prioritize patching while focused reconnaissance intensifies.
What is XWiki Platform?
XWiki is an open-source enterprise wiki and knowledge base platform used by product teams, documentation managers, solution architects, and internal enablement leads to centralize technical and procedural knowledge. It is often used in combination with extensions, such as Google Apps or Microsoft 365. Therefore, it frequently stores configuration notes, integration secrets, connection details, runbooks, and architectural decisions.
What is the business impact? This exposure has an outsized effect: an attacker who can read these files can quickly locate keys, map internal services, and move faster across your environment. A single leak can cascade into other systems (databases, CI/CD, email) and create compliance exposure—protecting XWiki protects the blueprint of your organization.
About CVE-2025-55748
The vulnerability (CVE-2025-55748) affects XWiki versions 4.2-milestone-2 through 16.10.6. Improper exposure of server-side resource loading endpoints (jsx / ssx / sx) allows unauthenticated attackers to request configuration files via crafted path traversal sequences. Example pattern:
/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false Successful exploitation lets attackers read sensitive configuration settings, including potential database connection details or authentication parameters. A patched version (16.10.7) remediates access control on these endpoints.
Research & references:
Trend analysis
CrowdSec telemetry now records 143 signals over 8 days (Oct 31–Nov 11), with a sharp surge culminating in a 35‑signal peak and up to 13 distinct sources on the busiest day. Activity still resembles targeted reconnaissance: relatively few, higher‑intent probes rather than broad indiscriminate scanning. The absence from KEV appears to be creating a remediation lag that attackers are exploiting to harvest configuration intelligence and identify pivot opportunities. If the current exploitation wave increases, unpatched instances risk becoming staging footholds for lateral movement and credential reuse through late Q4.
How to protect your systems
- Patch: Upgrade immediately to XWiki 16.10.7 or later. If patching is delayed, restrict public access to
/bin/ssxand/bin/sxendpoints via reverse proxy rules. - Preemptive blocking: Deploy CrowdSec with Application Security (WAF module) to automatically detect and stop CVE-2025-55748, using the virtual patching rule released on October 31, 2025.
- Stay proactive: Subscribe to CrowdSec Intelligence Blocklists to enhance your security level and automatically block the most malicious IP addresses reported by Crowdsec Network.