CVE-2025-24893
published 2025-02-20CVE-2025-24893: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-20
Exploited in the wild
EPSS
99.90%
100.0th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 16.0.0 < 16.4.1 | 16.4.1 |
| xwiki | xwiki | >= 5.4 < 15.10.11 | 15.10.11 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20↗
url/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d↗
- →Detect unauthenticated HTTP GET requests to /xwiki/bin/get/Main/SolrSearch containing URL-encoded Groovy template injection patterns (e.g., %7B%7Bgroovy%7D%7D or {{groovy}}) in the 'text' parameter ↗
- →Monitor for Nuclei-based scanning payloads attempting to execute 'cat /etc/passwd' via Groovy injection in the XWiki SolrSearch endpoint ↗
- →Hunt for the RondoDox-specific user-agent in HTTP logs alongside requests to the XWiki SolrSearch endpoint; publicly available RondoDox IoCs should block these exploitation attempts ↗
- →Detect processes spawned by the XWiki/Java web server process executing shell commands (e.g., sh -c, cmd.exe /c) as a child process — indicative of successful Groovy code execution via this vulnerability ↗
- →Check the RSS feed title in responses to SolrSearch requests; a title containing 'Hello from search text:42' confirms successful template injection and a vulnerable instance ↗
- ·The vulnerable macro is defined in Main.SolrSearchMacros (SolrSearchMacros.xml line 955); patching requires editing the 'rawResponse' macro to set content type to application/xml instead of directly outputting feed content — this is the workaround for users who cannot upgrade ↗
- ·The vulnerability is exploitable without authentication (guest/unauthenticated access) and affects XWiki Platform versions >= 5.3-milestone-2 up to and including 15.10.10, and >= 16.0.0-rc-1 up to and including 16.4.0; patched versions are 15.10.11, 16.4.1, and 16.5.0RC1 ↗
- ·The exploitation path is a single unauthenticated HTTP GET request; no prior authentication, session, or special privileges are required, making automated mass exploitation trivial ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
osv·2025-02-20
CVE-2025-24893 [CRITICAL] XWiki Platform allows remote code execution as guest via SolrSearchMacros request
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
### Impact
Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.
### Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
### Work
GHSA
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
ghsa·2025-02-20
CVE-2025-24893 [CRITICAL] CWE-94 XWiki Platform allows remote code execution as guest via SolrSearchMacros request
XWiki Platform allows remote code execution as guest via SolrSearchMacros request
### Impact
Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable.
### Patches
This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1.
### Work
VulnCheck
XWiki Platform Eval Injection Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-24893 [CRITICAL] CWE-95 XWiki Platform Eval Injection Vulnerability
XWiki Platform Eval Injection Vulnerability
XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.
Affected: XWiki Platform
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-04-20&host_type=src&vulnerability=cve-2025-24893; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-04-21&host_type=src&vulnerability=cve-2025-24893; htt
CISA
XWiki Platform Eval Injection Vulnerability
cisa·2025-10-30·CVSS 9.8
CVE-2025-24893 [CRITICAL] CWE-95 XWiki Platform Eval Injection Vulnerability
Vulnerability: XWiki Platform Eval Injection Vulnerability
Affected: XWiki Platform
XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j ; https://nvd.nist.gov/vuln/detail/CVE-2025-24893
Remediation Due Date: 2025-11-20
No detection rules found.
Exploit-DB
XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
exploitdb·2025-09-16·CVSS 9.8
CVE-2025-24893 [CRITICAL] XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
---
##
# Exploit Title: XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
# Date: 09/01/2025
# Exploit Author: Maksim Rogov
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
# Version: (5.3‑milestone‑2 ≤ v 'Remote Code Execution Vulnerability in XWiki Platform =
(CVE-2025-24893)',
'Description' =3D> %q{
This module exploits a template injection vulnerability in the th=
e XWiki Platform.
XWiki includes a macro called SolrSearch (defined in Main.SolrSea=
rchMacros) that enables full-text search through the embedded Solr engine.
The vulnerability stems from the way this macro evaluates search =
parameters in Groovy, failing to sanitize
Exploit-DB
XWiki Platform 15.10.10 - Remote Code Execution
exploitdb·2025-04-07·CVSS 9.8
CVE-2025-24893 [CRITICAL] XWiki Platform 15.10.10 - Remote Code Execution
XWiki Platform 15.10.10 - Remote Code Execution
---
# Exploit Title: XWiki Platform - Remote Code Execution
# Exploit Author: Al Baradi Joy
# Exploit Date: April 6, 2025
# CVE ID: CVE-2025-24893
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://github.com/xwiki/xwiki-platform
# Version: Affected versions up to and including XWiki 15.10.10
# Tested Versions: XWiki 15.10.10
# Vulnerability Type: Remote Code Execution (RCE)
# CVSS Score: 9.8 (Critical)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Description:
# XWiki Platform suffers from a critical vulnerability where any guest user
can
# execute arbitrary code remotely through the SolrSearch endpoint. This can
lead
# to a full server compromise, including the ability to execute commands on
the
# underlyin
Metasploit
Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)
metasploit·CVSS 9.8
CVE-2025-24893 [CRITICAL] Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)
Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)
This module exploits a template injection vulnerability in the the XWiki Platform. XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input. This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and = 16.0.0-rc-1 and < 16.4.1. Successful exploitation may result in the remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations. An attacker can execute arbitrary system commands in the context of the user running the web s
Nuclei
XWiki Platform - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-24893 [CRITICAL] XWiki Platform - Remote Code Execution
XWiki Platform - Remote Code Execution
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
Template:
id: CVE-2025-24893
info:
name: XWiki Platform - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
impact: |
An attacker can execute arbitrary code on the server, leading to a comple
Bleepingcomputer
Google: Cloud attacks exploit flaws more than weak credentials
blogs_bleepingcomputer·2026-03-09·CVSS 9.8
CVE-2025-55182 [CRITICAL] Google: Cloud attacks exploit flaws more than weak credentials
## Google: Cloud attacks exploit flaws more than weak credentials
## Bill Toulas
The most frequent vulnerability type exploited in attacks is remote code execution (RCE), the highlights being React2Shell (CVE-2025-55182) and the XWiki flaw tracked as CVE-2025-24893, leveraged in RondoDox botnet attacks .
Google believes this shift in focus was likely due to increased security measures for accounts and credentials.
“We assess that this change in behavior from threat actors is potentially due to Google's secure-by-default strategy and enhanced credential protections successfully closing traditional, more easily exploitable paths, raising the barrier to entry for threat actors,” Google says .
The exploitation window has collapsed from weeks to a few days, as Google observed cryptominers
Bleepingcomputer
RondoDox botnet exploits React2Shell flaw to breach Next.js servers
blogs_bleepingcomputer·2025-12-31·CVSS 9.8
CVE-2025-55182 [CRITICAL] RondoDox botnet exploits React2Shell flaw to breach Next.js servers
## RondoDox botnet exploits React2Shell flaw to breach Next.js servers
## Bill Toulas
The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform.
A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later.
React2Shell is an unauthenticated remote code execution vuln
Bleepingcomputer
RondoDox botnet malware now hacks servers using XWiki flaw
blogs_bleepingcomputer·2025-11-17·CVSS 9.8
CVE-2025-24893 [CRITICAL] RondoDox botnet malware now hacks servers using XWiki flaw
## RondoDox botnet malware now hacks servers using XWiki flaw
## Bill Toulas
The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893.
On October 30, the U.S. Cybersecurity and Information Security Agency (CISA) marked the flaw as actively exploited .
Now, a report from vulnerability intelligence company VulnCheck notes that CVE-2025-24893 is being leveraged in attacks by multiple threat actors, including botnet operators like RondoDox and cryptocurrency miners.
RondoDox is a large-scale botnet malware first documented by Fortinet in July 2025 as an emerging threat. In early October, Trend Micro warned about RondoDox’s exponential growth, with recent variants targeting at least 30 devices via 56 known vulnera
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
CTF
ippsec-video-index
ctf_writeups·CVSS 8.6
[HIGH] ippsec-video-index
# IppSec HTB Video Index - Complete Reference
> The most comprehensive index of IppSec's HackTheBox video walkthroughs.
> Data sourced from [ippsec.rocks](https://ippsec.rocks) dataset, GitHub, and community resources.
> Last updated: 2026-04-10
## Stats
| Category | Count |
|----------|-------|
| HTB Machine Walkthroughs | 432 |
| UHC (Ultimate Hacking Championship) | 12 |
| HTB Sherlocks (DFIR) | 7 |
| VulnHub Machines | 4 |
| Tutorials / Methodology / Special | 61 |
| HTB Academy Modules | 17 |
| **Total Unique Content** | **533** |
| Total Searchable Entries (timestamps) | 9,245 |
## Key Resources
| Resource | URL |
|----------|-----|
| YouTube Channel | [youtube.com/ippsec](https://youtube.com/ippsec) |
| Searchable Video Index | [ippsec.rocks](https://ippsec.rocks) |
| GitHub |
https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562jhttps://jira.xwiki.org/browse/XWIKI-22149https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893
2025-02-20
Published
2025-10-30
Added to CISA KEV
Exploited in the wild