CVE-2025-24893
Published Feb 20, 2025
Last updated 10 days ago
AI description
CVE-2025-24893 is a critical remote code execution (RCE) vulnerability found in the XWiki Platform. It exists within the SolrSearch macro due to insufficient input sanitization. The vulnerability allows unauthenticated attackers to execute arbitrary Groovy code on affected servers. This can be achieved by sending a crafted HTTP request with a malicious payload to the vulnerable XWiki instance. The vulnerability stems from the way the SolrSearch macro evaluates search parameters, specifically when processing RSS feed requests, without proper sanitization of scripting language special characters. By injecting Groovy expressions into the search query, attackers can cause the system to evaluate arbitrary code within the context of the XWiki server process. This vulnerability affects XWiki Platform versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 to 16.4.1.
- Description
- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- xwiki
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- XWiki Platform Eval Injection Vulnerability
- Exploit added on
- Oct 30, 2025
- Exploit action due
- Nov 20, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Hype score
- Not currently trending
CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild https://t.co/LEdumviIYz https://t.co/nxGpEYLiSq
@SirajD_Official
10 Nov 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild https://t.co/6lHF0hVrNp https://t.co/sMAthsorJD
@CloudVirtues
6 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
XWiki RCE (CVE-2025-24893) Actively Exploited to Deploy Cryptominers – Patch Immediately Read the full report on - https://t.co/9uBjZ3DD2X https://t.co/EpOSQF5m47
@Iambivash007
4 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
XWiki SolrSearch Exploit Attempts (CVE-2025-24893) with link to Chicago Gangs/Rappers, (Mon, Nov 3rd) #CISO https://t.co/4WKTikeFo2
@compuchris
3 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 RCE in XWiki (CVE-2025-24893) lets guest users run arbitrary code via crafted SolrSearch requests. Fixed in 15.10.11 / 16.4.1 / 16.5.0RC1 (July 2024). 30+ exploits on GitHub. Now exploited in the wild to deploy cryptominers. #XWiki #VulnCheck ➡️ https://t.co/7GmzuG0aXx h
@leonov_av
3 Nov 2025
19 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 THREAT INTEL REPORT - Nov 3, 2025 10 CRITICAL CVEs | 11 malicious IPs (100% abuse) | 50 C2 domains | 50 malware hashes TOP THREAT: CVE-2025-24893 (XWiki) → ANY GUEST can execute remote code → Zero auth required BLOCK THESE IPs NOW: 🇺🇸 209.141.33.240 🇺🇸 45.
@webpro255
3 Nov 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-24893 : Hackers Hijack Corporate XWiki Servers for Crypto Mining https://t.co/nGkDBcunhC
@freedomhack101
1 Nov 2025
59 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893: Eval Injection in XWiki Platform, 9.8 rating 🔥 In a recent post, CISA added an old RCE vulnerability to the list of actively exploited ones. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/fTnrNTvs7H https://t.co/G66zvwrHiV
@Netlas_io
1 Nov 2025
643 Impressions
4 Retweets
14 Likes
4 Bookmarks
0 Replies
0 Quotes
🚨CISA KEV Catalog was updated to include: CVE-2025-41244 & CVE-2025-24893 CVE-2025-41244: Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability CVE-2025-24893: XWiki Platform Eval Injection Vulnerability https://t.co/9idGUA
@DarkWebInformer
30 Oct 2025
3640 Impressions
2 Retweets
19 Likes
3 Bookmarks
1 Reply
0 Quotes
🛡️ We added XWiki Platform CVE-2025-24893 & Broadcom VMware Aria Operations and VMware Tool CVE-2025-41244 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec
@CISACyber
30 Oct 2025
5740 Impressions
11 Retweets
42 Likes
9 Bookmarks
1 Reply
1 Quote
🚨 XWiki CVE-2025-24893 is being actively exploited in the wild. VulnCheck Canaries observed a two-stage attack that installs a coinminer. This CVE is not in CISA KEV, showing real-world exploitation can precede official recognition. 🔗 Full report: https://t.co/WaEA1kYU6c
@VulnCheckAI
29 Oct 2025
225 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Active Exploitation Alert @TheHackersNews and @CISAgov report active exploitation of critical flaws in Dassault Systèmes DELMIA Apriso and XWiki. 💡 The CrowdSec Network detected and reported real-world weaponization of the XWiki flaw (CVE-2025-24893) as far back a
@Crowd_Security
29 Oct 2025
303 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
XWiki RCE Flaw Under Active Attack for Coinmining A critical vulnerability in XWiki (CVE-2025-24893) is actively exploited by threat actors to deploy cryptocurrency mining malware. Unpatched XWiki systems are at serious risk. Researchers at VulnCheck have documented ongoing http
@Secwiserapp
29 Oct 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
VulnCheck canaries seeing in-the-wild exploitation of XWiki CVE-2025-24893 to deploy coin miners. Attacker behavior, IOCs, and payload analysis via VulnCheck CTO @Junior_Baines https://t.co/6toH8L7OhL
@catc0n
28 Oct 2025
718 Impressions
2 Retweets
10 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-43300 CVE-2025-48539 CVE-2025-25257 (@0x_shaq) CVE-2025-7775 CVE-2025-57833 (@EyalSec) CVE-2025-53690 CVE-2025-9074 CVE-2025-48543 CVE-2025-24893 https://t.co/KW7HdtM3
@ptdbugs
5 Sept 2025
123 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
💻ӉѦСҠіИԌ ҬЄѦӍ Difusion: Exploit for CVE-2025-24893 CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. This flaw lets any guest user inject and execute arbitrary Groovy code—without authenticati
@HackingTeam777
5 Sept 2025
550 Impressions
0 Retweets
6 Likes
3 Bookmarks
0 Replies
0 Quotes
GitHub - b0ySie7e/CVE-2025-24893 https://t.co/2ccdVGJVzK
@akaclandestine
4 Sept 2025
844 Impressions
1 Retweet
3 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. https://t.co/n2GGpZXvxH https://t.co/KjcnrjFv9x
@cyber_advising
4 Sept 2025
5830 Impressions
33 Retweets
87 Likes
45 Bookmarks
0 Replies
0 Quotes
CVE-2024-24893 PoC for CVE-2025-24893 https://t.co/KJKhPWLiP6 Customizable Vulnerability Alerts: https://t.co/U7998fz7yk
@VulmonFeeds
4 Aug 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Watch out for the xwiki CVE-2025-24893 RCE https://t.co/og2hQvKmSN
@infinit3i
3 Aug 2025
388 Impressions
2 Retweets
5 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893 – #Unauthenticated #Remote_Code_Execution in #XWiki via #SolrSearch Macro https://t.co/QVgiZG0y8J https://t.co/iNWYwdSdyM
@omvapt
6 Jun 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Deep Dive: CVE-2025-24893 (Critical RCE in XWiki) ⚠️ CVSS 9.8 | EPSS 92.01% An exposed macro + unsafe evaluate() = full remote code execution. Unauthenticated attackers can inject Groovy code via the SolrSearch macro and execute system commands on vulnerable XWiki instances
@offsectraining
5 Jun 2025
3941 Impressions
4 Retweets
32 Likes
4 Bookmarks
0 Replies
0 Quotes
#XWiki Platform #RCE (CVE-2025-24893) https://t.co/KqUvbEgNkR
@absholi7ly
5 Mar 2025
136 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: La Settimana Cibernetica del 23 febbraio 2025 🔹aggiornamenti per molteplici prodotti 🔹Xerox: rilevate vulnerabilità in prodotti Versalink 🔹XWiki: PoC per la CVE-2025-24893 🔹Microsoft: sfruttamento attivo in rete della CVE-2025-24989 ⚠️ #E… https://t.co/flACCIWbA4
@Vulcanux_
24 Feb 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-24893 ⚠️🔴 CRITICAL (9.8) 🏢 xwiki - xwiki-platform 🏗️ >= 5.3-milestone-2, < 15.10.11 🔗 https://t.co/RehOm4y8aO 🔗 https://t.co/te3FeYPtKq 🔗 https://t.co/xusI78TZ5s 🔗 https://t.co/54P39Imaor 🔗 https://t.co/nT9bq2aQmM #CyberCron #VulnAlert https://t.co/hX7zo
@cybercronai
22 Feb 2025
17 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼ #XWiki: disponibile un #PoC per lo sfruttamento della CVE-2025-24893 tramite #SolrSearch Rischio: 🔴 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/vdqUriCQoa ⚠ Importante mantenere aggiornati i sistemi https://t.co/vAqkbUEu1W
@Vulcanux_
21 Feb 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2025-24893 | xwiki-platform up to 15.10.10/16.4.0 neutralization of directives (GHSA-rr6p-3pfg-562j)) has been published on https://t.co/COjeYxUMoV
@WolfgangSesin
20 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-24893: CRITICAL] XWiki Platform vulnerability through `SolrSearch` allows remote code execution leading to data breach. Patched in versions 15.10.11, 16.4.1 and 16.5.0RC1, ensure immediate upgrade.#cybersecurity,#vulnerability https://t.co/J3bofJGM9w https://t.co/0spCC3
@CveFindCom
20 Feb 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A9F2AD2E-CF5D-46D1-AFB8-2E9529C8E8D4",
"versionEndExcluding": "15.10.11",
"versionStartIncluding": "5.4"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5921C493-2A56-49BC-8763-7D12518C0DC2",
"versionEndExcluding": "16.4.1",
"versionStartIncluding": "16.0.0"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F5CC1FB7-2BAD-4413-9955-02E06BA27305"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "067AAD11-1AB2-4688-8D81-F2464CD2FA14"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2FCE7B4-E701-4C07-B4A9-31EC6C25F882"
}
],
"operator": "OR"
}
]
}
]