Nov 15, 2025Ravie LakshmananMalware / Vulnerability
The botnet malware often known as RondoDox has been noticed concentrating on unpatched XWiki situations towards a vital safety flaw that might enable attackers to attain arbitrary code execution.
The vulnerability in query is CVE-2025-24893 (CVSS rating: 9.8), an eval injection bug that might enable any visitor person to carry out arbitrary distant code execution by a request to the “/bin/get/Principal/SolrSearch” endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
Whereas there was proof that the shortcoming had been exploited within the wild since not less than March, it wasn’t till late October, when VulnCheck disclosed it had noticed recent makes an attempt weaponizing the flaw as a part of a two-stage assault chain to deploy a cryptocurrency miner.
Subsequently, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added the vulnerability to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal companies to use obligatory mitigations by November 20.
In a recent report printed Friday, VulnCheck revealed that it has since noticed a spike in exploitation makes an attempt, hitting a brand new excessive on November 7, adopted by one other surge on November 11. This means broader scanning exercise seemingly pushed by a number of menace actors collaborating within the effort.
This consists of RondoDox, a botnet that is quickly including new exploitation vectors to rope prone gadgets right into a botnet for conducting distributed denial-of-service (DDoS) assaults utilizing HTTP, UDP, and TCP protocols. The primary RondoDox exploit was noticed on November 3, 2025, per the cybersecurity firm.
Different assaults have been noticed exploiting the flaw to ship cryptocurrency miners, in addition to makes an attempt to ascertain a reverse shell and common probing exercise utilizing a Nuclei template for CVE-2025-24893.
The findings as soon as once more illustrate the necessity for adopting strong patch administration practices to make sure optimum safety.
“CVE-2025-24893 is a well-known story: one attacker strikes first, and plenty of comply with,” VulnCheck’s Jacob Baines mentioned. “Inside days of the preliminary exploitation, we noticed botnets, miners, and opportunistic scanners all adopting the identical vulnerability.”
