Menace actors began exploiting a important XWiki vulnerability en masse inside two weeks of the bug being reported as exploited within the wild, VulnCheck warns.
Tracked as CVE-2025-24893 (CVSS rating of 9.8), the flaw was found in Could 2024 and patched in June 2024, however a CVE identifier was assigned to it solely in early 2025, after technical info turned public.
The bug exists as a result of, in XWiki variations earlier than 15.10.11, 16.4.1 and 16.5.0RC1, user-supplied enter to a search perform is wrongly sanitized, permitting distant, unauthenticated attackers to execute arbitrary code by way of crafted requests to the search endpoint.
Proof-of-concept (PoC) code focusing on the difficulty has been publicly accessible since early 2025, and safety researchers noticed the defect being focused in reconnaissance makes an attempt, however in-the-wild exploitation began solely final month.
In late October, VulnCheck warned {that a} risk actor was exploiting CVE-2025-24893 as a part of a cryptocurrency mining operation, and the US cybersecurity company CISA added the bug to its Recognized Exploited Vulnerabilities (KEV) catalog two days later.
Now, VulnCheck says the exercise focusing on susceptible XWiki servers has expanded considerably, with a number of risk actors exploiting the bug of their assaults.
The RondoDox botnet has added an exploit for the CVE to its toolset and, beginning November 3, it has more and more focused the flaw in assaults.
Since November 7, the flaw has been exploited in a second crypto-mining operation, whereas the risk actor behind the primary mining operation expanded its exercise with two new payload internet hosting servers and a brand new server internet hosting the exploit.Commercial. Scroll to proceed studying.
VulnCheck additionally noticed assaults through which an IP deal with related to AWS, with no historical past of abuse, was used “to ascertain a reverse shell again to itself utilizing the BusyBox nc binary”, doubtless as a part of a focused assault.
Different risk actors additionally tried to ascertain net shells on susceptible XWiki servers. One of many assaults originated from an IP that “exposes each QNAP and DrayTek interfaces to the web”, doubtless as a result of it’s a compromised host, and tried to deploy a bash reverse shell.
Moreover, VulnCheck has noticed quite a few risk actors merely performing scans and probes of susceptible servers, together with some utilizing Nuclei templates.
“Inside days of the preliminary exploitation, we noticed botnets, miners, and opportunistic scanners all adopting the identical vulnerability. As soon as once more, this highlights the hole between exploitation within the wild and visibility at scale,” VulnCheck notes.
Associated: Fortinet Confirms Lively Exploitation of Important FortiWeb Vulnerability
Associated: Chrome Zero-Day Exploitation Linked to Hacking Workforce Spy ware
Associated: Exploitation of Important Adobe Commerce Flaw Places Many eCommerce Websites at Threat
Associated: CISA Confirms Exploitation of Newest Oracle EBS Vulnerability
