Security

Unpatched XWiki Servers Exploited by RCE Flaw for Global Cryptomining Botnet

The critical CVE-2025-24893 eval injection flaw enables unauthenticated remote code execution, weaponizing enterprise infrastructure for illicit cryptomining and DDoS botnets.
November 20, 20253 min

The image displays a detailed close-up of a multi-layered electronic device, featuring dark blue components accented by glowing white circuit patterns and metallic conduits. The device exhibits intricate internal structures, including what appears to be a cooling or fluid transfer system integrated into its design
The image showcases a highly detailed, abstract technological structure composed of interconnected modular blocks and intricate circuitry. Bright blue cables weave through the metallic grey and dark blue components, suggesting active data flow within a complex system

Briefing

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-24893, is being actively and widely exploited in unpatched XWiki servers. This zero-trust flaw allows unauthenticated threat actors to execute arbitrary code, immediately compromising the host system. The primary consequence is the weaponization of compromised infrastructure for the deployment of cryptocurrency miners and the RondoDox botnet, with a significant surge in exploitation attempts observed since early November 2025.

The image showcases a sophisticated, abstract mechanical assembly featuring segmented white external components and transparent blue internal structures. These intricate blue elements are adorned with glowing digital patterns, surrounded by swirling white vapor

Context

The prevailing attack surface for open-source systems is often defined by delayed patch management and the reliance on public disclosure for vulnerability awareness. This specific RCE flaw, an eval injection bug, was patched in February 2025, but the public availability of technical proof-of-concept (PoC) code has now transitioned the risk from theoretical to actively weaponized. The lag between patch release and widespread application creates a critical window of exposure for all unmanaged deployments.

The image displays brilliant blue, multi-faceted crystalline forms integrated into a sleek, futuristic metallic structure. Portions of this intricate assembly are partially enveloped by a textured, white granular substance

Analysis

The attack vector leverages improper input sanitization within the XWiki search function’s /bin/get/Main/SolrSearch endpoint. An unauthenticated attacker sends a crafted request containing malicious code, which the vulnerable system processes via an eval injection mechanism. This successfully bypasses security controls to achieve arbitrary remote code execution, establishing a reverse shell or directly deploying the cryptomining payload. The root cause is a fundamental logic error in handling untrusted user input, granting full system control to the threat actor.

The image displays a detailed, close-up perspective of a blue circuit board featuring numerous silver metallic components and intricate white traces. The shallow depth of field highlights the foreground's complex electronic pathways

Parameters

  • Vulnerability ID → CVE-2025-24893 → The official identifier for the critical Remote Code Execution flaw.
  • CVSS Score → 9.8 (Critical) → The severity rating indicating maximum risk for unauthenticated RCE.
  • Attack Vector → Eval Injection → The specific technical method used to execute arbitrary code via unsanitized input.
  • Primary Payload → Cryptomining and RondoDox Botnet → The dual-purpose malicious software deployed to steal compute resources and facilitate DDoS attacks.

A striking composition features a textured, translucent surface merging into a complex, faceted blue and clear crystalline structure. The intricate design showcases transparent geometric forms and reflective surfaces, highlighting depth and precision in its abstract representation

Outlook

Immediate mitigation for all administrators is the non-negotiable application of patches to XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1 to close the RCE vulnerability. The contagion risk extends to any organization relying on open-source software with delayed patch cycles, reinforcing the need for continuous vulnerability scanning and immediate remediation. This incident will likely establish a new security best practice mandating automated deployment pipelines for critical patches, reducing the window between public disclosure and system protection.

The image showcases a detailed close-up of advanced, modular machinery, primarily composed of white and dark grey panels with integrated blue, glowing crystalline components. These elements are intricately designed, suggesting a complex, high-tech system for data or energy processing

Verdict

This widespread exploitation of a critical, previously patched RCE vulnerability confirms that operational risk in the digital asset space is increasingly migrating from smart contract logic to the underlying, unmanaged third-party infrastructure.

Remote code execution, eval injection bug, critical vulnerability, unauthenticated access, improper input sanitization, cryptocurrency mining, botnet deployment, distributed denial of service, open source software, supply chain risk, server exploitation, patch management, arbitrary code execution, known exploited vulnerability, network infrastructure Signal Acquired from → thehackernews.com

Micro Crypto News Feeds

remote code execution

Definition ∞ Remote Code Execution (RCE) is a type of cybersecurity vulnerability that allows an attacker to execute arbitrary code on a target computer system over a network.

public disclosure

Definition ∞ Public disclosure, in the context of digital assets and blockchain projects, involves the release of relevant information to the general public or specific regulatory bodies.

code execution

Definition ∞ Code execution is the process by which a computer follows instructions written in a programming language.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

risk

Definition ∞ Risk refers to the potential for loss or undesirable outcomes.

arbitrary code

Definition ∞ Arbitrary code refers to program instructions that can be executed without restriction.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

Tags:

Tags: