CVE-2025-24893 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-02-20

Added to CISA KEV: 2025-10-30 252 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs for suspicious SolrSearch requests, check for unauthorized access, verify system integrity, and scan for web shells or backdoors
URGENT: Immediately upgrade to XWiki 15.10.11, 16.4.1, or 16.5.0RC1 or later versions
TEMPORARY MITIGATION: If immediate patching is not possible, edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro implementation
Monitor web server logs for requests to /xwiki/bin/get/Main/SolrSearch with suspicious parameters
Implement web application firewall rules to block malicious SolrSearch requests
PATCH PRIORITY: Emergency - patch within 24-48 hours due to CISA KEV status and ease of exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-24893 is a critical vulnerability in the XWiki Platform that allows for unauthenticated remote code execution (RCE) ^[1] ^[2]. It has been assigned a CVSS score of 9.8 ^[4] ^[6].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability is actively exploited in the wild ^[5]. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on October 30, 2025 ^[3].
Threat Actors: Following its initial discovery, the vulnerability saw a "multi-actor scramble" involving various threat actors, including botnets and operators of coinminers ^[3].
Campaigns: Observed attacks have included two-stage chains designed to deliver coinminers ^[5].

Attack Method and Requirements

Method: The vulnerability stems from insufficient input sanitization in the `SolrSearch` macro, which allows an attacker to inject and execute arbitrary Groovy code ^[2].
Requirements: Exploitation is performed via a specially crafted, unauthenticated HTTP request sent to the `SolrSearch` endpoint ^[2]. No user interaction is required ^[1].

Impact

Access: Successful exploitation grants an attacker the ability to execute arbitrary code on the underlying server with the privileges of the XWiki application ^[1].
Impact: This results in a full compromise of the confidentiality, integrity, and availability of the XWiki installation ^[1].

Proof-of-Concept (PoC)

Publicly available PoC code exists that demonstrates how to execute arbitrary commands via Groovy code injection through the `SolrSearch` macro ^[4].

Affected Versions and Mitigation

Affected Versions: XWiki Platform versions prior to the patched releases are vulnerable.
Patch Status: The vulnerability has been patched in the following versions:

* 15.10.11 * 16.4.1 * 16.5.0RC1

Recommendation: Organizations running affected versions are strongly advised to upgrade to these patched versions immediately ^[1] ^[7].

Sources

CVE-2025-24893 Detail - NVD
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution. ... An official website of the United States government Here's how you know ... CVE-2025-24893 Detail. Description. XWiki Platform is a gene…
XWiki Remote Code Execution Vulnerability (CVE-2025-24893)
A newly discovered critical vulnerability in the XWiki Platform, tracked as CVE-2025-24893, allows unauthenticated remote code execution (RCE) through the ... The Vulnerability Explained. CVE-2025-24893 stems from insufficient input sanitization in the SolrSearch macro. This macro, used for querying…
XWiki Under Increased Attack | Blog | VulnCheck
What began as one attacker exploiting CVE-2025-24893 has become a multi-actor scramble including botnets, miners, and custom tooling. Our early Canary detections show how quickly real-world exploitation now evolves.Two days later, on October 30, CVE-2025-24893 was added to CISA Known Exploited Vulne…
CVE-2025-24893 - XWiki Unauthenticated Remote Code Execution
This PoC allows to execute arbitrary commands through Groovy code on SolrSearch Macro. Details. Severity: Critical CVSS Score: 9.8 (CVSS:3.1/AV:N/AC: ...
XWiki CVE-2025-24893 Exploited in the Wild | Blog - VulnCheck
VulnCheck Canaries captured live exploitation of XWiki CVE-2025-24893, a vulnerability absent from CISA KEV but actively abused in the wild. ... VulnCheck Canaries captured live exploitation of XWiki CVE-2025-24893, a vulnerability absent from CISA KEV but actively abused in the wild. ... Key Takeaw…
Widespread Exploitation of XWiki Vulnerability Observed
Threat actors started exploiting a critical XWiki vulnerability en masse within two weeks of the bug being reported as exploited in the wild, VulnCheck warns. Tracked as CVE-2025-24893 (CVSS score of 9.8), the flaw was discovered in May 2024 and patched in June 2024, but a CVE identifier was ...
CVE-2025-24893 - Exploits & Severity - Feedly
CVEs. CVE-2025-24893. Proof of exploitExploited in the wild.The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including ionix.io. Patch. Patches are available for XWiki versio…

🔴 CVE-2025-24893