Unpatched XWiki Servers Exploited by RCE Flaw for Global Cryptomining Botnet ∞ Security

A pristine, glossy white sphere floats centrally, surrounded by intricate, highly reflective blue and silver metallic structures. White, powdery snow-like particles are scattered across and nestled within these complex forms

A close-up view reveals a complex mechanical assembly featuring a central transparent tube emitting a vibrant blue glow, flanked by intricate metallic gears and support structures. The entire mechanism is partially encased in soft, white, textured material

Briefing

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-24893, is being actively and widely exploited in unpatched XWiki servers. This zero-trust flaw allows unauthenticated threat actors to execute arbitrary code, immediately compromising the host system. The primary consequence is the weaponization of compromised infrastructure for the deployment of cryptocurrency miners and the RondoDox botnet, with a significant surge in exploitation attempts observed since early November 2025.

Smooth, lustrous tubes in shades of light blue, deep blue, and reflective silver intertwine dynamically, forming a complex knot. A central metallic connector, detailed with fine grooves and internal blue pin-like structures, serves as a focal point where these elements converge

Context

The prevailing attack surface for open-source systems is often defined by delayed patch management and the reliance on public disclosure for vulnerability awareness. This specific RCE flaw, an eval injection bug, was patched in February 2025, but the public availability of technical proof-of-concept (PoC) code has now transitioned the risk from theoretical to actively weaponized. The lag between patch release and widespread application creates a critical window of exposure for all unmanaged deployments.

A translucent blue cylindrical device, emitting an internal azure glow, is partially embedded within a bed of fine white granular material. A textured blue ring, encrusted with the same particles, surrounds the base of two parallel metallic rods extending outwards

Analysis

The attack vector leverages improper input sanitization within the XWiki search function’s /bin/get/Main/SolrSearch endpoint. An unauthenticated attacker sends a crafted request containing malicious code, which the vulnerable system processes via an eval injection mechanism. This successfully bypasses security controls to achieve arbitrary remote code execution, establishing a reverse shell or directly deploying the cryptomining payload. The root cause is a fundamental logic error in handling untrusted user input, granting full system control to the threat actor.

A detailed, close-up view showcases a complex blue spherical construct featuring intricate metallic conduits and components. This visual metaphor delves into the underlying mechanisms of blockchain and cryptocurrency systems

Parameters

Vulnerability ID ∞ CVE-2025-24893 ∞ The official identifier for the critical Remote Code Execution flaw.
CVSS Score ∞ 9.8 (Critical) ∞ The severity rating indicating maximum risk for unauthenticated RCE.
Attack Vector ∞ Eval Injection ∞ The specific technical method used to execute arbitrary code via unsanitized input.
Primary Payload ∞ Cryptomining and RondoDox Botnet ∞ The dual-purpose malicious software deployed to steal compute resources and facilitate DDoS attacks.

The image displays a complex mechanical structure featuring translucent blue internal circuitry enveloped by smooth white and metallic external components. This detailed rendering highlights an advanced decentralized network topology, where visible transparent sections illustrate active transaction processing and intricate smart contract logic execution

Outlook

Immediate mitigation for all administrators is the non-negotiable application of patches to XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1 to close the RCE vulnerability. The contagion risk extends to any organization relying on open-source software with delayed patch cycles, reinforcing the need for continuous vulnerability scanning and immediate remediation. This incident will likely establish a new security best practice mandating automated deployment pipelines for critical patches, reducing the window between public disclosure and system protection.

A striking abstract visual features a translucent blue block, appearing crystalline or ice-like, encapsulating a soft, white, textured mass. A sharp, white, needle-like object with a small black eye precisely pierces both the blue block and the white interior

Verdict

This widespread exploitation of a critical, previously patched RCE vulnerability confirms that operational risk in the digital asset space is increasingly migrating from smart contract logic to the underlying, unmanaged third-party infrastructure.

Remote code execution, eval injection bug, critical vulnerability, unauthenticated access, improper input sanitization, cryptocurrency mining, botnet deployment, distributed denial of service, open source software, supply chain risk, server exploitation, patch management, arbitrary code execution, known exploited vulnerability, network infrastructure Signal Acquired from ∞ thehackernews.com