Hello and welcome to the Wednesday, March 26th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I am recording from Jacksonville, Florida.

Well, today in Diaries we do have an interesting one, a billy that I saw being exploited.

It affects ex-Wiki.

Wikis, of course, are always dangerous.

However, the vulnerability being exported here is not in a feature that's commonly

associated with dangerous like uploading files or allowing users to edit a page.

It's in the search feature.

And in this case, actually, the search feature is open to remote code execution.

The problem is that this particular wiki, and again, we're talking about XWiki here, is written in Java, and it does allow for output rendering transformations.

The idea behind this is that part of the wiki code is essentially these templates, and then as they're being sent to the user, well, they're being parsed.

That's how these rendering transformations are being applied.

But in the search feature, the search string also was subject to these rendering transformations.

So if you searched for a crewvy in this case, code snippet, well, that code was actually then

parsed as the data was returned to the user, and that led to the remote code execution.

The vulnerability is about a year old.

I haven't seen a lot of exploitation against it.

Just sort of now sort of bubbled to the top.

Early expectations were like about in June,

but only sort of individual hits against our honeypots,

which sort of didn't make it to our threshold

where we sort of consider it something new and noteworthy.

...