Critical XWiki Vulnerability Exploited to Deploy Botnets and Cryptominers
A critical remote code execution (RCE) vulnerability in XWiki, an open-source enterprise wiki platform, is being actively exploited by multiple threat actors to deploy botnets and cryptocurrency miners. The flaw, identified as CVE-2025-24893, allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted requests to the SolrSearch endpoint.
Since its initial discovery on October 28, 2025, exploitation of this vulnerability has escalated rapidly. Within two days, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its Known Exploited Vulnerabilities catalog on October 30, 2025. VulnCheck, a cybersecurity firm, reported a significant increase in scanning and attack attempts targeting this flaw, indicating a diverse range of attackers from automated botnets to sophisticated actors employing custom tools and specialized scanners.
Rapid Exploitation Expansion
On November 3, 2025, the RondoDox botnet incorporated this vulnerability into its attack arsenal, leading to a sharp increase in exploitation attempts. These attacks are identifiable by their distinctive HTTP User-Agent signatures and payload naming conventions. Simultaneously, multiple cryptocurrency mining operations have been detected leveraging this vulnerability to deploy mining software on compromised XWiki installations. VulnCheck researchers observed attackers downloading hidden scripts that ultimately install cryptocurrency miners on vulnerable servers.
More concerning are the reverse shell attempts, indicating potential hands-on-keyboard activity. VulnCheck identified several instances where attackers attempted to establish direct command-and-control connections, including one attack originating from an AWS-associated IP address with no prior abuse history. This suggests more targeted operations beyond automated scanning.
Technical Details
The vulnerability resides in XWiki’s SolrSearch component and requires only guest-level privileges for exploitation, making it accessible to virtually any user with basic system access. Attackers exploit the Groovy scripting functionality within the SolrSearch endpoint to download and execute malicious payloads. These payloads range from botnet recruitment scripts to cryptocurrency miners.
VulnCheck analysts have documented attacks originating from numerous IP addresses across different countries, with payload hosting servers frequently changing locations. The exploitation techniques include direct payload execution, multi-stage infection chains, and hidden shell scripts designed to evade detection.
Indicators of Compromise (IoCs)
Defenders can use the following indicators to detect potential exploitation:
– IP Addresses:
– 123.25.249.88 (Attacker, Vietnam)
– 193.32.208.24 (Command-and-Control Server)
– File Hashes (SHA-256):
– tcrond (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
– tcrond (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b
– x521: de082aeb01d41dd81cfb79bc5bfa33453b0022ed
– x522: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f
– x640: 5abc337dbc04fee7206956dad1e0b6d43921a868
Mitigation Recommendations
Organizations using XWiki should take immediate action to mitigate this vulnerability:
1. Apply Patches: Upgrade to XWiki version 15.10.11, 16.4.1, or 16.5.0RC1, which address this vulnerability.
2. Restrict Access: Limit network exposure of XWiki servers by implementing access controls and firewall rules to restrict access to trusted users and systems.
3. Monitor Logs: Regularly review server logs for unusual activity, such as unexpected requests to the SolrSearch endpoint or unauthorized execution of Groovy scripts.
4. Implement Network Segmentation: Isolate XWiki servers from critical infrastructure to prevent lateral movement in case of compromise.
5. Deploy Security Tools: Utilize intrusion detection and prevention systems (IDPS) to detect and block exploitation attempts.
The rapid adoption of this vulnerability by multiple threat actor groups underscores the importance of early detection and immediate patching. Defenders who wait for official advisories are already behind the curve of exploitation, making proactive security monitoring essential.
