CVE-2025-55730: RCE in XWiki Remote Macros
Platform
java
Component
xwiki-pro-macros
Fixed in
1.0.1
CVE-2025-55730 affects XWiki Remote Macros, a component used for migrating content from Confluence. The vulnerability stems from a lack of proper escaping in the confluence paste code macro, enabling an attacker to execute arbitrary code. This flaw impacts versions 1.0 through 1.26.4 and allows any user with edit permissions to potentially compromise the system. A fix is available in version 1.26.5.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The impact of CVE-2025-55730 is severe, allowing for Remote Code Execution (RCE). An attacker can exploit this vulnerability by crafting a malicious confluence paste code macro that, when processed by XWiki, executes arbitrary commands on the server. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attacker's ability to execute code as the user with edit permissions significantly expands the potential blast radius, potentially affecting other users and systems within the XWiki environment. The lack of input sanitization makes this a particularly dangerous vulnerability, similar in impact to other injection flaws that allow for arbitrary code execution.
Exploitation Context
CVE-2025-55730 was published on September 9, 2025. Its critical CVSS score of 10 indicates a high probability of exploitation. While no public Proof-of-Concept (POC) exploits have been publicly released as of this writing, the ease of exploitation and the potential for significant impact suggest that it is likely to become a target for attackers. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Active campaigns are not currently known, but given the RCE nature, it is highly probable that threat actors will attempt to exploit this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.50% (66% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-55730 is to immediately upgrade XWiki Remote Macros to version 1.26.5 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict edit permissions on XWiki pages to only authorized users to limit the potential impact of a successful exploit. Implement a Web Application Firewall (WAF) with rules to detect and block malicious confluence paste code macros containing XWiki syntax injection attempts. Monitor XWiki logs for suspicious activity, particularly related to page edits and macro execution. After upgrading to 1.26.5, verify the fix by attempting to inject malicious XWiki syntax into a confluence paste code macro and confirming that it is properly sanitized and does not result in code execution.
How to fix
Actualice el plugin XWiki Remote Macros a la versión 1.26.5 o superior. Esta versión contiene una corrección para la vulnerabilidad de ejecución remota de código. La actualización se puede realizar a través del administrador de plugins de XWiki.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-55730 — Remote Code Execution (RCE) in XWiki Remote Macros?
It's a critical Remote Code Execution (RCE) vulnerability in XWiki Remote Macros, allowing attackers to execute arbitrary code through unescaped input in the confluence paste code macro.
Am I affected by CVE-2025-55730 in XWiki Remote Macros?
If you are using XWiki Remote Macros versions 1.0 through 1.26.4, you are vulnerable to this RCE flaw. Immediate action is required.
How do I fix CVE-2025-55730 in XWiki Remote Macros?
Upgrade XWiki Remote Macros to version 1.26.5 or later to patch the vulnerability. If immediate upgrade is impossible, implement temporary workarounds like restricting edit permissions.
Is CVE-2025-55730 being actively exploited?
While no public exploits are currently known, the vulnerability's severity suggests it's likely to become a target. Monitor your systems closely.
Where can I find the official XWiki Remote Macros advisory for CVE-2025-55730?
Refer to the official XWiki security advisory and the NVD entry for CVE-2025-55730 for detailed information and updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.