Briefing

A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-24893, is being actively and widely exploited in unpatched XWiki servers. This zero-trust flaw allows unauthenticated threat actors to execute arbitrary code, immediately compromising the host system. The primary consequence is the weaponization of compromised infrastructure for the deployment of cryptocurrency miners and the RondoDox botnet, with a significant surge in exploitation attempts observed since early November 2025.

A sophisticated mechanism, composed of polished metallic and crystalline blue elements, is depicted amidst dynamic splashes of clear water. The scene highlights the interaction between precision engineering and fluid dynamics, suggesting a high-performance system

Context

The prevailing attack surface for open-source systems is often defined by delayed patch management and the reliance on public disclosure for vulnerability awareness. This specific RCE flaw, an eval injection bug, was patched in February 2025, but the public availability of technical proof-of-concept (PoC) code has now transitioned the risk from theoretical to actively weaponized. The lag between patch release and widespread application creates a critical window of exposure for all unmanaged deployments.

The Ethereum logo is prominently displayed on a detailed blue circuit board, enveloped by a complex arrangement of blue wires. This imagery illustrates the sophisticated infrastructure of the Ethereum blockchain, emphasizing its decentralized nature and interconnected systems

Analysis

The attack vector leverages improper input sanitization within the XWiki search function’s /bin/get/Main/SolrSearch endpoint. An unauthenticated attacker sends a crafted request containing malicious code, which the vulnerable system processes via an eval injection mechanism. This successfully bypasses security controls to achieve arbitrary remote code execution, establishing a reverse shell or directly deploying the cryptomining payload. The root cause is a fundamental logic error in handling untrusted user input, granting full system control to the threat actor.

A detailed, close-up view showcases a complex blue spherical construct featuring intricate metallic conduits and components. This visual metaphor delves into the underlying mechanisms of blockchain and cryptocurrency systems

Parameters

  • Vulnerability ID → CVE-2025-24893 → The official identifier for the critical Remote Code Execution flaw.
  • CVSS Score → 9.8 (Critical) → The severity rating indicating maximum risk for unauthenticated RCE.
  • Attack Vector → Eval Injection → The specific technical method used to execute arbitrary code via unsanitized input.
  • Primary Payload → Cryptomining and RondoDox Botnet → The dual-purpose malicious software deployed to steal compute resources and facilitate DDoS attacks.

A highly detailed, spherical mechanism with a transparent blue core is encircled by white, segmented outer components. Translucent blue connectors link these segments, revealing intricate internal structures suggestive of advanced digital processing

Outlook

Immediate mitigation for all administrators is the non-negotiable application of patches to XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1 to close the RCE vulnerability. The contagion risk extends to any organization relying on open-source software with delayed patch cycles, reinforcing the need for continuous vulnerability scanning and immediate remediation. This incident will likely establish a new security best practice mandating automated deployment pipelines for critical patches, reducing the window between public disclosure and system protection.

The image displays a detailed, close-up perspective of a blue circuit board featuring numerous silver metallic components and intricate white traces. The shallow depth of field highlights the foreground's complex electronic pathways

Verdict

This widespread exploitation of a critical, previously patched RCE vulnerability confirms that operational risk in the digital asset space is increasingly migrating from smart contract logic to the underlying, unmanaged third-party infrastructure.

Remote code execution, eval injection bug, critical vulnerability, unauthenticated access, improper input sanitization, cryptocurrency mining, botnet deployment, distributed denial of service, open source software, supply chain risk, server exploitation, patch management, arbitrary code execution, known exploited vulnerability, network infrastructure Signal Acquired from → thehackernews.com

Micro Crypto News Feeds