RondoDox Botnet Exploits Critical XWiki Vulnerability to Expand Its Reach
In recent developments, the RondoDox botnet has been actively exploiting a severe security flaw in unpatched XWiki servers, significantly expanding its network of compromised devices. This vulnerability, identified as CVE-2025-24893, carries a critical CVSS score of 9.8 and allows unauthenticated users to execute arbitrary code remotely by sending crafted requests to the /bin/get/Main/SolrSearch endpoint. The flaw was addressed by XWiki maintainers in versions 15.10.11, 16.4.1, and 16.5.0RC1, released in late February 2025.
Despite the availability of patches, evidence indicates that the vulnerability has been exploited in the wild since at least March 2025. In late October, cybersecurity firm VulnCheck observed a resurgence in exploitation attempts, noting a two-stage attack chain that deploys cryptocurrency mining malware. This prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-24893 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to implement necessary mitigations by November 20, 2025.
Further analysis by VulnCheck revealed a significant spike in exploitation attempts, reaching a peak on November 7, followed by another surge on November 11. This pattern suggests that multiple threat actors are actively scanning for and targeting vulnerable XWiki instances. Among these actors is the RondoDox botnet, which has been rapidly incorporating new exploitation vectors to enlist susceptible devices into its network. These compromised devices are then utilized to conduct distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The first observed RondoDox exploit targeting this vulnerability occurred on November 3, 2025.
In addition to RondoDox’s activities, other attacks have been documented exploiting the same flaw to deploy cryptocurrency miners, establish reverse shells, and perform general probing activities using a Nuclei template for CVE-2025-24893. These findings underscore the critical need for organizations to adopt robust patch management practices to ensure optimal protection against such vulnerabilities.
Jacob Baines of VulnCheck highlighted the rapid adoption of this exploit by various malicious actors, stating, CVE-2025-24893 is a familiar story: one attacker moves first, and many follow. Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.
The exploitation of CVE-2025-24893 by the RondoDox botnet and other threat actors serves as a stark reminder of the importance of timely software updates and vigilant cybersecurity practices. Organizations utilizing XWiki are strongly advised to upgrade to the patched versions immediately and monitor their systems for any signs of compromise.
