The CVE-2025-24893 vulnerability in XWiki Platform’s SolrSearch component allows unauthenticated guest users to execute arbitrary remote code via eval injection (CWE-95), bypassing all security controls. Exploiting this flaw grants attackers full command execution privileges equivalent to the web server process, enabling data exfiltration, malware deployment, lateral movement, and persistent network compromise. Organizations using XWiki for collaboration or public-facing wikis are at acute risk, as the flaw weaponizes the platform’s trust model. CISA has issued an urgent directive with a November 20, 2025, remediation deadline, mandating immediate patching or complete discontinuation of XWiki if patching is infeasible. The CVSS 9.8 (Critical) severity reflects the vulnerability’s low attack complexity and network-based exploitation potential. While no active ransomware campaigns are confirmed, the flaw’s accessibility and severity make it a prime target for rapid weaponization by advanced threat actors. Failure to remediate risks system takeover, sensitive data exposure, and operational disruption, with cloud deployments subject to additional compliance mandates under BOD 22-01.

Cybersecurity researchers identified a critical Remote Code Execution (RCE) vulnerability (CVE-2025-24893) in XWiki, actively exploited by multiple threat actors, including botnets (e.g., RondoDox), cryptocurrency miners, and advanced attackers deploying reverse shells. The vulnerability, first exploited on October 28, 2025, escalated rapidly, with CISA adding it to the KEV catalog just two days later. Attackers leveraged the flaw to compromise servers globally, deploying malware, coin miners (e.g., payload hash *03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7*), reverse shells (via AWS IPs like *18.228.3.32*), and persistence mechanisms. Scanning operations (e.g., via Nuclei templates) targeted vulnerable installations, attempting to exfiltrate sensitive data (e.g., /etc/passwd). The attack chain involved compromised infrastructure (e.g., QNAP/DrayTek devices via CVE-2023-47218), indicating layered exploitation. The speed of weaponization—from isolated exploits to widespread botnet integration (RondoDox by November 3)—left defenders with minimal time to patch, risking large-scale server takeovers, data breaches, and operational disruption for organizations relying on XWiki for collaboration or documentation.