A critical-severity vulnerability within the common open supply enterprise wiki platform XWiki has been exploited within the wild as a part of a low-end cryptocurrency mining operation, VulnCheck studies.
The difficulty, tracked as CVE-2025-24893 (CVSS rating of 9.8), permits attackers to execute arbitrary code remotely, by sending a request to the SolrSearch macro, which makes use of the embedded Solr engine for full-text search.
As a result of the macro improperly sanitizes search parameters in Groovy, a distant, unauthenticated attacker can craft search requests and inject malicious code that can be executed with the privileges of the online server.
“The particular flaw exists inside the dealing with of the textual content parameter offered to the SolrSearchMacros endpoint. The difficulty outcomes from the dearth of correct validation of a user-supplied string earlier than utilizing it to execute a system name. An attacker can leverage this vulnerability to execute code within the context of the service account,” a ZDI advisory reads.
Profitable exploitation of the flaw permits attackers to show delicate data, disrupt survey operations, or execute arbitrary system instructions with the privileges of the consumer operating the online server.
The safety defect was reported by Development Micro’s John Kwak in Could 2024, and was addressed in XWiki variations 15.10.11, 16.4.1 and 16.5.0RC1, in June 2024.
Technical particulars on the bug emerged roughly half a yr later and an NVD advisory was revealed in February. Quite a few proof-of-concept (PoC) exploits concentrating on it have been out there since early 2025.
CrowdSec earlier this yr noticed the vulnerability being abused for reconnaissance, however famous a decline in exercise surrounding it. Now, VulnCheck says it has recognized in-the-wild assaults exploiting CVE-2025-24893 to deploy a cryptocurrency miner.Commercial. Scroll to proceed studying.
“We noticed a number of exploit makes an attempt towards our XWiki canaries coming from an attacker geolocated in Vietnam. The exploitation proceeds in a two-pass workflow separated by not less than 20 minutes: the primary go phases a downloader (writes a file to disk), and the second go later executes it,” VulnCheck notes.
The assaults, VulnCheck says, look like a part of a low-end crypto mining operation, and the noticed site visitors originates from an IP tackle that has been related to different malicious exercise as nicely.
Associated: CISA Warns of Exploited DELMIA Manufacturing unit Software program Vulnerabilities
Associated: QNAP NetBak PC Agent Affected by Current ASP.NET Core Vulnerability
Associated: Crucial Home windows Server WSUS Vulnerability Exploited within the Wild
Associated: CISA Warns of Exploited Apple, Kentico, Microsoft Vulnerabilities
