CVE-2025-24893

Published Feb 20, 2025

Last updated a month ago

Exploit knownCVSS critical 9.8
XWiki Platform

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-24893 is a critical remote code execution (RCE) vulnerability found in the XWiki Platform. It exists within the SolrSearch macro due to insufficient input sanitization. The vulnerability allows unauthenticated attackers to execute arbitrary Groovy code on affected servers. This can be achieved by sending a crafted HTTP request with a malicious payload to the vulnerable XWiki instance. The vulnerability stems from the way the SolrSearch macro evaluates search parameters, specifically when processing RSS feed requests, without proper sanitization of scripting language special characters. By injecting Groovy expressions into the search query, attackers can cause the system to evaluate arbitrary code within the context of the XWiki server process. This vulnerability affects XWiki Platform versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 to 16.4.1.

Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Source
security-advisories@github.com
NVD status
Analyzed
Products
xwiki

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
XWiki Platform Eval Injection Vulnerability
Exploit added on
Oct 30, 2025
Exploit action due
Nov 20, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security-advisories@github.com
CWE-95
nvd@nist.gov
CWE-94

Social media

Hype score
Not currently trending

  1. 【MBSD-SOCの検知傾向トピックス】 2025年11月分#MBSD#SOCの検知傾向トピックスを公開しました。 今月は、オープンソースのナレッジ管理プラットフォームであるXWikiの脆弱性(CVE-2025-24893)を狙った攻撃が増加し

    @mbsdnews

    11 Dec 2025

    1772 Impressions

    5 Retweets

    15 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  2. A RondoDox botnet az XWiki-platformot veszi célba A RondoDox botnet a CVE-2025-24893 azonosítón nyomon követett, kritikus RCE-sérülékenység (remote code execution) kihasználásával az XWiki platformot célozza. Az XWiki egy Java-alapú, nyílt forráskódú vállalati

    @linuxmint_hun

    2 Dec 2025

    64 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 New plugin: XWikiPlugin (CVE-2025-24893, CVE-2025-32429, CVE-2025-52472, CVE-2025-55748). XWiki multiple critical vulnerabilities detection - RCE, SQL/HQL injection, and path traversal. Results: https://t.co/PxFnlE9Gg8 https://t.co/KsHMoApXyo

    @leak_ix

    1 Dec 2025

    850 Impressions

    2 Retweets

    9 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-24893

    @transilienceai

    24 Nov 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. 🚩 RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet https://t.co/39Up3lx5YW The RondoDox botnet is exploiting CVE-2025-24893 (CVSS 9.8), a critical eval injection flaw in XWiki, to recruit devices for DDoS operations. Exploitation attempts spik

    @Huntio

    21 Nov 2025

    753 Impressions

    2 Retweets

    8 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  6. برای پلتفرم Xwiki آسیب پذیری باکد شناسایی CVE-2025-24893 از نوع RCE منتشر شده است. بات نتی به نام RondoDox از این آسیب پذیری برای گرفتن دسترسی به سیستم ها ، استفاده می کند

    @EthicalSafe

    19 Nov 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🐛🌐 RondoDox Botnet Now Exploits XWiki RCE The RondoDox botnet added a critical XWiki RCE (CVE-2025-24893) to its exploit arsenal to hack servers and expand its reach. #Botnet #XWiki #RCE #ThreatIntel https://t.co/VgLaHIZLm8

    @Strivehawk

    18 Nov 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ⚡️ Cybersecurity Developments in the Last 12 Hours ⚡️ 🚨 RondoDox botnet is exploiting a critical XWiki RCE (CVE-2025-24893) to compromise servers, deploy payloads and mine cryptocurrency. Organizations should patch affected XWiki versions immediately. 👾 A research

    @greytech_ltd

    18 Nov 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. 【リンク集:2025年11月17~18日のセキュリティ関連ニュース/記事】 <脆弱性> ・XWikiの脆弱性、多様な攻撃で悪用される(CVE-2025-24893) https://t.co/gGhFRePBgz <マルウェア・その他脅威> ・Azure、IPアドレス50万件

    @MachinaRecord

    18 Nov 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. The RondoDox botnet exploits a critical RCE vulnerability (CVE-2025-24893) in XWiki versions before 15.10.11 and 16.4.1, deploying remote shells and crypto miners since November. #XWikiFlaw #BotnetAttack #RondoDox https://t.co/NfHtjnkE3D

    @TweetThreatNews

    18 Nov 2025

    122 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. RondoDoxボットネット、XWikiのCVE-2025-24893 RCEを悪用 https://t.co/zHJJQBgu3K #Security #セキュリティー #ニュース

    @SecureShield_

    18 Nov 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨 Critical Unauthenticated RCE Vulnerability in XWiki Platform (CVE-2025-24893, CVSS 9.8) 🚨 A critical unauthenticated RCE vulnerability in XWiki Platform is being actively exploited in the wild. An unauthenticated attacker can achieve RCE by abusing unsafe user-controlled

    @censysio

    17 Nov 2025

    5562 Impressions

    14 Retweets

    67 Likes

    19 Bookmarks

    1 Reply

    0 Quotes

  13. 🚨 Urgent: The RondoDox botnet is actively exploiting a critical XWiki vulnerability (CVE-2025-24893) to take over servers. Patch immediately if you're running XWiki! #CyberSecurity https://t.co/BvG4rzWuGS

    @RedTeamNewsBlog

    17 Nov 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 📌 يستغل برنامج راندو دوكس الخبيث ثغرة حرجة في منصة XWiki، المسماة CVE-2025-24893، لتنفيذ تعليمات عن بُعد. https://t.co/fLCXJnKTzg

    @Cybercachear

    17 Nov 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Botnet on the rise: RondoDox is hijacking servers via an unpatched XWiki bug (CVE-2025-24893). If you use XWiki and haven’t patched since Feb, you’re a sitting duck. LCCS is tracking it. Time to lock the doors. https://t.co/YcouhwSXII #CyberSecurity #PatchNow

    @lowcountrycyber

    17 Nov 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Unpatched XWiki servers are now feeding the RondoDox botnet thanks to CVE-2025-24893. It’s a remote-code free-for-all if you haven’t patched since Feb. SMBs running XWiki: you’re a sitting duck. Lock it down. https://t.co/YcouhwSXII #CyberSecurity #PatchNow

    @lowcountrycyber

    17 Nov 2025

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. RondoDox explora falha crítica no XWiki para ataque com minerador e DDoS: Botnet aproveita a vulnerabilidade CVE-2025-24893 não corrigida para executar código remoto, disparando tentativas de exploração e ataques diversos; atualização imediata é essencial. https://t.co/3h

    @caveiratech

    17 Nov 2025

    38 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  18. VulnCheck launches Canary Intelligence: real, verified exploitation data from live vulnerable systems — not honeypots. See which CVEs are actually exploited, by whom, and how. Already detecting activity across 231 VulnCheck KEVs and XWiki CVE-2025-24893. https://t.co/78R92h0Z

    @VulnCheckAI

    17 Nov 2025

    122 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    1 Quote

  19. #RondoDox is exploiting the unpatched #XWiki flaw CVE-2025-24893 (CVSS 9.8), enabling unauthenticated RCE via the SolrSearch endpoint. Activity spiked in Nov, with actors deploying cryptominers. CISA added the bug to KEV; mitigations required by Nov 20. https://t.co/SPbNNLyAmF

    @MeridianEU

    17 Nov 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. "‘"GoldenJackal"’ Threat Actor Exploits Unpatched XWiki RCE to RondoDox botnet exploits unpatched XWiki flaw CVE-2025-24893 for RCE, infecting servers despite February 2025 patches. With a CVSS score of 9.8, it targets vulnerable XWiki servers, expanding its botnet. https://

    @Secwiserapp

    17 Nov 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 XWiki Platform Security Advisory [—] Nov 17, 2025 Comprehensive security advisory for XWiki Platform, addressing CVE-2025-24893 and related exploitation activities. Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/AaKzpniJTL

    @transilienceai

    17 Nov 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 A new botnet called RondoDox is attacking unpatched XWiki servers through a critical bug (CVE-2025-24893, score 9.8). Hackers are using it to spread crypto miners and DDoS tools. Learn more ↓ https://t.co/nIThpFV49Y https://t.co/1buPvPFX25

    @marylynnjuszcza

    16 Nov 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. 🚨⚠️ ALERT: RondoDox botnet exploiting XWiki flaw CVE-2025-24893 with CVSS score 9.8! 😱 Hackers targeting unpatched systems for remote code execution! #RondoDox #XWiki #CyberSecurity 🔒 Learn more: https://t.co/jlirLhj3Rt

    @JamaalChalid

    16 Nov 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-24893 XWiki Platform guest can perform RCE through SolrSearch macros request CVSS3 9.8, Impact 5.9, EPSS 99.9%, Exploits available https://t.co/ZSnheqzORQ

    @vFeed_IO

    16 Nov 2025

    83 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  25. Top 5 Trending CVEs: 1 - CVE-2017-1001000 2 - CVE-2025-33073 3 - CVE-2025-26686 4 - CVE-2025-24893 5 - CVE-2025-33053 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    16 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🔍 𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐕𝐄 𝐛𝐫𝐞𝐚𝐤𝐝𝐨𝐰𝐧 𝐚𝐯𝐚𝐢𝐥𝐚𝐛𝐥𝐞 𝐧𝐨𝐰! RondoDox botnet hijacks unpatched XWiki servers via CVE-2025-24893. Discover the scope of the attack and how to defend against it now. 🔗 Get the

    @PurpleOps_io

    16 Nov 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 15/11/2025 🚨 RondoDox botnet exploits unpatched XWiki servers via CVE-2025-24893 (CVSS 9.8), enabling arbitrary code execution. Urgent patching needed to secure your systems! Source: https://t.co/lD3BCQA6s7

    @kernyx64

    16 Nov 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. RondoDox malware exploits unpatched XWiki servers via CVE-2025-24893, a critical eval injection bug allowing arbitrary code execution, potentially pulling more devices into its botnet. #CyberSecurity #Malware https://t.co/qbD6Hx0ccT

    @Cyber_O51NT

    16 Nov 2025

    757 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  29. RondoDox botnet exploits unpatched XWiki servers via critical CVE-2025-24893 vulnerability to deploy crypto miners and launch DDoS attacks. Exploitation began in March, surging in Nov 2025. #XWikiExploit #BotnetAttack #France https://t.co/423DrlGt67

    @TweetThreatNews

    15 Nov 2025

    124 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  30. RondoDox botnet is actively exploiting unpatched XWiki servers via CVE-2025-24893, a critical RCE vulnerability. Patch now to prevent your devices from being compromised! 🔒 https://t.co/vZbqNXKKcu #RondoDox #XWiki #Cybersecurity #Vulnerability

    @0xT3chn0m4nc3r

    15 Nov 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. 🚨 A new botnet called RondoDox is attacking unpatched XWiki servers through a critical bug (CVE-2025-24893, score 9.8). Hackers are using it to spread crypto miners and DDoS tools. Learn more ↓ https://t.co/QgQFKrtqDR

    @TheHackersNews

    15 Nov 2025

    12679 Impressions

    31 Retweets

    66 Likes

    7 Bookmarks

    2 Replies

    2 Quotes

  32. CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild https://t.co/LEdumviIYz https://t.co/nxGpEYLiSq

    @SirajD_Official

    10 Nov 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CVE-2025-24893 - XWiki Platform injection vulnerability exploited in the wild https://t.co/6lHF0hVrNp https://t.co/sMAthsorJD

    @CloudVirtues

    6 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. XWiki RCE (CVE-2025-24893) Actively Exploited to Deploy Cryptominers – Patch Immediately Read the full report on - https://t.co/9uBjZ3DD2X https://t.co/EpOSQF5m47

    @Iambivash007

    4 Nov 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. XWiki SolrSearch Exploit Attempts (CVE-2025-24893) with link to Chicago Gangs/Rappers, (Mon, Nov 3rd) #CISO https://t.co/4WKTikeFo2

    @compuchris

    3 Nov 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 RCE in XWiki (CVE-2025-24893) lets guest users run arbitrary code via crafted SolrSearch requests. Fixed in 15.10.11 / 16.4.1 / 16.5.0RC1 (July 2024). 30+ exploits on GitHub. Now exploited in the wild to deploy cryptominers. #XWiki #VulnCheck ➡️ https://t.co/7GmzuG0aXx h

    @leonov_av

    3 Nov 2025

    19 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🚨 THREAT INTEL REPORT - Nov 3, 2025 10 CRITICAL CVEs | 11 malicious IPs (100% abuse) | 50 C2 domains | 50 malware hashes TOP THREAT: CVE-2025-24893 (XWiki) → ANY GUEST can execute remote code → Zero auth required BLOCK THESE IPs NOW: 🇺🇸 209.141.33.240 🇺🇸 45.

    @webpro255

    3 Nov 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  38. CVE-2025-24893 : Hackers Hijack Corporate XWiki Servers for Crypto Mining https://t.co/nGkDBcunhC

    @freedomhack101

    1 Nov 2025

    59 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  39. CVE-2025-24893: Eval Injection in XWiki Platform, 9.8 rating 🔥 In a recent post, CISA added an old RCE vulnerability to the list of actively exploited ones. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/fTnrNTvs7H https://t.co/G66zvwrHiV

    @Netlas_io

    1 Nov 2025

    643 Impressions

    4 Retweets

    14 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  40. 🚨CISA KEV Catalog was updated to include: CVE-2025-41244 &amp; CVE-2025-24893 CVE-2025-41244: Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability CVE-2025-24893: XWiki Platform Eval Injection Vulnerability https://t.co/9idGUA

    @DarkWebInformer

    30 Oct 2025

    3640 Impressions

    2 Retweets

    19 Likes

    3 Bookmarks

    1 Reply

    0 Quotes

  41. 🛡️ We added XWiki Platform CVE-2025-24893 &amp; Broadcom VMware Aria Operations and VMware Tool CVE-2025-41244 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf &amp; apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec

    @CISACyber

    30 Oct 2025

    5740 Impressions

    11 Retweets

    42 Likes

    9 Bookmarks

    1 Reply

    1 Quote

  42. 🚨 XWiki CVE-2025-24893 is being actively exploited in the wild. VulnCheck Canaries observed a two-stage attack that installs a coinminer. This CVE is not in CISA KEV, showing real-world exploitation can precede official recognition. 🔗 Full report: https://t.co/WaEA1kYU6c

    @VulnCheckAI

    29 Oct 2025

    225 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🚨 Active Exploitation Alert @TheHackersNews and @CISAgov report active exploitation of critical flaws in Dassault Systèmes DELMIA Apriso and XWiki. 💡 The CrowdSec Network detected and reported real-world weaponization of the XWiki flaw (CVE-2025-24893) as far back a

    @Crowd_Security

    29 Oct 2025

    303 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  44. XWiki RCE Flaw Under Active Attack for Coinmining A critical vulnerability in XWiki (CVE-2025-24893) is actively exploited by threat actors to deploy cryptocurrency mining malware. Unpatched XWiki systems are at serious risk. Researchers at VulnCheck have documented ongoing http

    @Secwiserapp

    29 Oct 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. VulnCheck canaries seeing in-the-wild exploitation of XWiki CVE-2025-24893 to deploy coin miners. Attacker behavior, IOCs, and payload analysis via VulnCheck CTO @Junior_Baines https://t.co/6toH8L7OhL

    @catc0n

    28 Oct 2025

    718 Impressions

    2 Retweets

    10 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  46. ⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-43300 CVE-2025-48539 CVE-2025-25257 (@0x_shaq) CVE-2025-7775 CVE-2025-57833 (@EyalSec) CVE-2025-53690 CVE-2025-9074 CVE-2025-48543 CVE-2025-24893 https://t.co/KW7HdtM3

    @ptdbugs

    5 Sept 2025

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 💻ӉѦСҠіИԌ ҬЄѦӍ Difusion: Exploit for CVE-2025-24893 CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. This flaw lets any guest user inject and execute arbitrary Groovy code—without authenticati

    @HackingTeam777

    5 Sept 2025

    550 Impressions

    0 Retweets

    6 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  48. GitHub - b0ySie7e/CVE-2025-24893 https://t.co/2ccdVGJVzK

    @akaclandestine

    4 Sept 2025

    844 Impressions

    1 Retweet

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  49. CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. https://t.co/n2GGpZXvxH https://t.co/KjcnrjFv9x

    @cyber_advising

    4 Sept 2025

    5830 Impressions

    33 Retweets

    87 Likes

    45 Bookmarks

    0 Replies

    0 Quotes

  50. CVE-2024-24893 PoC for CVE-2025-24893 https://t.co/KJKhPWLiP6 Customizable Vulnerability Alerts: https://t.co/U7998fz7yk

    @VulmonFeeds

    4 Aug 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.