Briefing

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-24893, is being actively and widely exploited in unpatched XWiki servers. This zero-trust flaw allows unauthenticated threat actors to execute arbitrary code, immediately compromising the host system. The primary consequence is the weaponization of compromised infrastructure for the deployment of cryptocurrency miners and the RondoDox botnet, with a significant surge in exploitation attempts observed since early November 2025.

The image displays a close-up, high-fidelity rendering of an intricate mechanical or digital component. It features concentric layers of white and blue textured materials surrounding a central array of radiating white bristles, all encased within metallic and white structural elements

Context

The prevailing attack surface for open-source systems is often defined by delayed patch management and the reliance on public disclosure for vulnerability awareness. This specific RCE flaw, an eval injection bug, was patched in February 2025, but the public availability of technical proof-of-concept (PoC) code has now transitioned the risk from theoretical to actively weaponized. The lag between patch release and widespread application creates a critical window of exposure for all unmanaged deployments.

Two luminous white spheres are centrally positioned, interconnected by a delicate white framework and embraced by vibrant blue, segmented rings. These rings exhibit intricate digital patterns and streams of binary code, symbolizing the underlying technology of blockchain and cryptocurrency

Analysis

The attack vector leverages improper input sanitization within the XWiki search function’s /bin/get/Main/SolrSearch endpoint. An unauthenticated attacker sends a crafted request containing malicious code, which the vulnerable system processes via an eval injection mechanism. This successfully bypasses security controls to achieve arbitrary remote code execution, establishing a reverse shell or directly deploying the cryptomining payload. The root cause is a fundamental logic error in handling untrusted user input, granting full system control to the threat actor.

An intricate digital render showcases white, block-like modules connected by luminous blue data pathways, set against a backdrop of dark, textured circuit-like structures. The bright blue conduits visually represent high-bandwidth information flow across a complex, multi-layered system

Parameters

  • Vulnerability ID → CVE-2025-24893 → The official identifier for the critical Remote Code Execution flaw.
  • CVSS Score → 9.8 (Critical) → The severity rating indicating maximum risk for unauthenticated RCE.
  • Attack Vector → Eval Injection → The specific technical method used to execute arbitrary code via unsanitized input.
  • Primary Payload → Cryptomining and RondoDox Botnet → The dual-purpose malicious software deployed to steal compute resources and facilitate DDoS attacks.

The image showcases a sophisticated, abstract mechanical assembly featuring segmented white external components and transparent blue internal structures. These intricate blue elements are adorned with glowing digital patterns, surrounded by swirling white vapor

Outlook

Immediate mitigation for all administrators is the non-negotiable application of patches to XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1 to close the RCE vulnerability. The contagion risk extends to any organization relying on open-source software with delayed patch cycles, reinforcing the need for continuous vulnerability scanning and immediate remediation. This incident will likely establish a new security best practice mandating automated deployment pipelines for critical patches, reducing the window between public disclosure and system protection.

A complex abstract structure displays dark blue segments illuminated by vibrant blue digital patterns and embedded alphanumeric sequences. These segments are intricately wrapped by smooth silver metallic bands, forming a sophisticated, intertwined system

Verdict

This widespread exploitation of a critical, previously patched RCE vulnerability confirms that operational risk in the digital asset space is increasingly migrating from smart contract logic to the underlying, unmanaged third-party infrastructure.

Remote code execution, eval injection bug, critical vulnerability, unauthenticated access, improper input sanitization, cryptocurrency mining, botnet deployment, distributed denial of service, open source software, supply chain risk, server exploitation, patch management, arbitrary code execution, known exploited vulnerability, network infrastructure Signal Acquired from → thehackernews.com

Micro Crypto News Feeds