cbcvebase.
CVE-2025-24893
published 2025-02-20

CVE-2025-24893: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-20
Exploited in the wild
EPSS
99.90%
100.0th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

Affected

5 ranges
VendorProductVersion rangeFixed in
xwikixwiki
xwikixwiki>= 16.0.0 < 16.4.116.4.1
xwikixwiki>= 5.4 < 15.10.1115.10.11
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20
url/xwiki/bin/get/Main/SolrSearch
path/nuts/poop
filenamerondo..sh
url/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d
  • Detect unauthenticated HTTP GET requests to /xwiki/bin/get/Main/SolrSearch containing URL-encoded Groovy template injection patterns (e.g., %7B%7Bgroovy%7D%7D or {{groovy}}) in the 'text' parameter
  • Monitor for Nuclei-based scanning payloads attempting to execute 'cat /etc/passwd' via Groovy injection in the XWiki SolrSearch endpoint
  • Hunt for the RondoDox-specific user-agent in HTTP logs alongside requests to the XWiki SolrSearch endpoint; publicly available RondoDox IoCs should block these exploitation attempts
  • Detect processes spawned by the XWiki/Java web server process executing shell commands (e.g., sh -c, cmd.exe /c) as a child process — indicative of successful Groovy code execution via this vulnerability
  • Check the RSS feed title in responses to SolrSearch requests; a title containing 'Hello from search text:42' confirms successful template injection and a vulnerable instance
  • ·The vulnerable macro is defined in Main.SolrSearchMacros (SolrSearchMacros.xml line 955); patching requires editing the 'rawResponse' macro to set content type to application/xml instead of directly outputting feed content — this is the workaround for users who cannot upgrade
  • ·The vulnerability is exploitable without authentication (guest/unauthenticated access) and affects XWiki Platform versions >= 5.3-milestone-2 up to and including 15.10.10, and >= 16.0.0-rc-1 up to and including 16.4.0; patched versions are 15.10.11, 16.4.1, and 16.5.0RC1
  • ·The exploitation path is a single unauthenticated HTTP GET request; no prior authentication, session, or special privileges are required, making automated mass exploitation trivial

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.