AI description
CVE-2025-24893 is a critical remote code execution (RCE) vulnerability found in the XWiki Platform. It exists within the SolrSearch macro due to insufficient input sanitization. The vulnerability allows unauthenticated attackers to execute arbitrary Groovy code on affected servers. This can be achieved by sending a crafted HTTP request with a malicious payload to the vulnerable XWiki instance. The vulnerability stems from the way the SolrSearch macro evaluates search parameters, specifically when processing RSS feed requests, without proper sanitization of scripting language special characters. By injecting Groovy expressions into the search query, attackers can cause the system to evaluate arbitrary code within the context of the XWiki server process. This vulnerability affects XWiki Platform versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 to 16.4.1.
- Description
- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- xwiki
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
VulnCheck canaries seeing in-the-wild exploitation of XWiki CVE-2025-24893 to deploy coin miners. Attacker behavior, IOCs, and payload analysis via VulnCheck CTO @Junior_Baines https://t.co/6toH8L7OhL
@catc0n
28 Oct 2025
637 Impressions
2 Retweets
7 Likes
3 Bookmarks
0 Replies
0 Quotes
⚠️ Weekly vuln radar. https://t.co/Cd6L8ACyLV – spot what’s trending before it’s everywhere: CVE-2025-43300 CVE-2025-48539 CVE-2025-25257 (@0x_shaq) CVE-2025-7775 CVE-2025-57833 (@EyalSec) CVE-2025-53690 CVE-2025-9074 CVE-2025-48543 CVE-2025-24893 https://t.co/KW7HdtM3
@ptdbugs
5 Sept 2025
123 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
💻ӉѦСҠіИԌ ҬЄѦӍ Difusion: Exploit for CVE-2025-24893 CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. This flaw lets any guest user inject and execute arbitrary Groovy code—without authenticati
@HackingTeam777
5 Sept 2025
550 Impressions
0 Retweets
6 Likes
3 Bookmarks
0 Replies
0 Quotes
GitHub - b0ySie7e/CVE-2025-24893 https://t.co/2ccdVGJVzK
@akaclandestine
4 Sept 2025
844 Impressions
1 Retweet
3 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability affecting the XWiki Platform. https://t.co/n2GGpZXvxH https://t.co/KjcnrjFv9x
@cyber_advising
4 Sept 2025
5830 Impressions
33 Retweets
87 Likes
45 Bookmarks
0 Replies
0 Quotes
CVE-2024-24893 PoC for CVE-2025-24893 https://t.co/KJKhPWLiP6 Customizable Vulnerability Alerts: https://t.co/U7998fz7yk
@VulmonFeeds
4 Aug 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Watch out for the xwiki CVE-2025-24893 RCE https://t.co/og2hQvKmSN
@infinit3i
3 Aug 2025
388 Impressions
2 Retweets
5 Likes
2 Bookmarks
0 Replies
0 Quotes
CVE-2025-24893 – #Unauthenticated #Remote_Code_Execution in #XWiki via #SolrSearch Macro https://t.co/QVgiZG0y8J https://t.co/iNWYwdSdyM
@omvapt
6 Jun 2025
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Deep Dive: CVE-2025-24893 (Critical RCE in XWiki) ⚠️ CVSS 9.8 | EPSS 92.01% An exposed macro + unsafe evaluate() = full remote code execution. Unauthenticated attackers can inject Groovy code via the SolrSearch macro and execute system commands on vulnerable XWiki instances
@offsectraining
5 Jun 2025
3941 Impressions
4 Retweets
32 Likes
4 Bookmarks
0 Replies
0 Quotes
#XWiki Platform #RCE (CVE-2025-24893) https://t.co/KqUvbEgNkR
@absholi7ly
5 Mar 2025
136 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: La Settimana Cibernetica del 23 febbraio 2025 🔹aggiornamenti per molteplici prodotti 🔹Xerox: rilevate vulnerabilità in prodotti Versalink 🔹XWiki: PoC per la CVE-2025-24893 🔹Microsoft: sfruttamento attivo in rete della CVE-2025-24989 ⚠️ #E… https://t.co/flACCIWbA4
@Vulcanux_
24 Feb 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-24893 ⚠️🔴 CRITICAL (9.8) 🏢 xwiki - xwiki-platform 🏗️ >= 5.3-milestone-2, < 15.10.11 🔗 https://t.co/RehOm4y8aO 🔗 https://t.co/te3FeYPtKq 🔗 https://t.co/xusI78TZ5s 🔗 https://t.co/54P39Imaor 🔗 https://t.co/nT9bq2aQmM #CyberCron #VulnAlert https://t.co/hX7zo
@cybercronai
22 Feb 2025
17 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼ #XWiki: disponibile un #PoC per lo sfruttamento della CVE-2025-24893 tramite #SolrSearch Rischio: 🔴 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/vdqUriCQoa ⚠ Importante mantenere aggiornati i sistemi https://t.co/vAqkbUEu1W
@Vulcanux_
21 Feb 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New post from https://t.co/uXvPWJy6tj (CVE-2025-24893 | xwiki-platform up to 15.10.10/16.4.0 neutralization of directives (GHSA-rr6p-3pfg-562j)) has been published on https://t.co/COjeYxUMoV
@WolfgangSesin
20 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-24893: CRITICAL] XWiki Platform vulnerability through `SolrSearch` allows remote code execution leading to data breach. Patched in versions 15.10.11, 16.4.1 and 16.5.0RC1, ensure immediate upgrade.#cybersecurity,#vulnerability https://t.co/J3bofJGM9w https://t.co/0spCC3
@CveFindCom
20 Feb 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A9F2AD2E-CF5D-46D1-AFB8-2E9529C8E8D4",
"versionEndExcluding": "15.10.11",
"versionStartIncluding": "5.4"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5921C493-2A56-49BC-8763-7D12518C0DC2",
"versionEndExcluding": "16.4.1",
"versionStartIncluding": "16.0.0"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F5CC1FB7-2BAD-4413-9955-02E06BA27305"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "067AAD11-1AB2-4688-8D81-F2464CD2FA14"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F2FCE7B4-E701-4C07-B4A9-31EC6C25F882"
}
],
"operator": "OR"
}
]
}
]