Full Report
The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the "/bin/get/Main/
Analysis Summary
# Vulnerability: RondoDox Botnet Exploiting XWiki Arbitrary Code Execution
## CVE Details
- CVE ID: CVE-2025-24893
- CVSS Score: 9.8 (Critical)
- CWE: CWE-95 (Improper Neutralization of Data within Dynamic Invocation Constructs) - *Inferred from "eval injection bug"*
## Affected Systems
- Products: XWiki Platform
- Versions: Versions prior to XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
- Configurations: Any unpatched XWiki instance accessible to a guest user.
## Vulnerability Description
This vulnerability, designated as CVE-2025-24893, is an **eval injection bug** allowing for arbitrary remote code execution (RCE). An unauthenticated **guest user** can trigger this flaw by sending a specific request to the `/bin/get/Main/SolrSearch` endpoint. Successful exploitation results in the execution of attacker-controlled code on the server.
## Exploitation
- Status: Exploited in the wild (Observed being used by the RondoDox botnet, cryptocurrency miners, and general probing tools).
- Complexity: Low (Allowed via unauthenticated guest user access).
- Attack Vector: Network (Remote via HTTP request).
## Impact
- Confidentiality: High (Arbitrary code execution can lead to full system compromise and data exfiltration).
- Integrity: High (Arbitrary code execution allows for modification or destruction of system files and data).
- Availability: High (Can lead to system takeover, deployment of DDoS agents, or data destruction).
## Remediation
### Patches
- XWiki 15.10.11
- XWiki 16.4.1
- XWiki 16.5.0RC1 (and later versions)
### Workarounds
No specific workarounds detailed in the context, but general mitigation for RCE vulnerabilities often involves strict network segmentation or WAF rules blocking suspicious payloads aimed at the affected endpoint if patching is delayed. CISA issued a directive requiring federal agencies to mitigate by November 20.
## Detection
- Indicators of Compromise (IOCs): Observed initial exploitation uses a two-stage attack chain often leading to the deployment of a cryptocurrency miner or RondoDox botnet components.
- Detection Methods and Tools: Detection methods include monitoring for exploitation attempts utilizing the `/bin/get/Main/SolrSearch` endpoint with malicious input. A **Nuclei template for CVE-2025-24893** has been made publicly available, which can be used for vulnerability scanning and detection of active exploitation attempts.
## References
- Vendor Advisory (GitHub Security Advisory): hxxps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j
- CISA KEV Catalog Entry: hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?search\_api\_fulltext=CVE-2025-24893
- Nuclei Template: hxxps://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24893.yaml