Full Report
The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893. [...]
Analysis Summary
# Vulnerability: RCE in XWiki Platform exploited by RondoDox Botnet
## CVE Details
- CVE ID: CVE-2025-24893
- CVSS Score: Critical (Implied by CISA listing and RCE)
- CWE: Not specified in text
## Affected Systems
- Products: XWiki Platform (Java-based, open-source enterprise wiki platform)
- Versions: Versions prior to 15.10.11 and versions prior to 16.4.1
- Configurations: Self-hosted environments are the typical deployment scenario.
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability exists in XWiki Platform. Threat actors, including the RondoDox botnet, are exploiting this flaw by using a specially crafted HTTP GET request against the `XWiki SolrSearch` endpoint. This request injects base64-encoded Groovy code, which is then executed by the server, leading to the download and execution of remote shell payloads (e.g., `rondo..sh`).
## Exploitation
- Status: **Exploited in the wild** (Confirmed by CISA and independent research noting RondoDox and cryptocurrency miner activity)
- Complexity: Low (Implied by widespread exploitation shortly after disclosure and simple HTTP request trigger)
- Attack Vector: Network
## Impact
- Confidentiality: High (Ability to execute remote shell and download main payloads suggests full system compromise potential)
- Integrity: High (Code execution allows for modification or destruction of data/systems)
- Availability: High (Installation of botnet malware or miners leads to resource exhaustion and denial of service)
## Remediation
### Patches
- Upgrade to XWiki Platform version **15.10.11 or later**.
- Upgrade to XWiki Platform version **16.4.1 or later**.
### Workarounds
- Specific workarounds were not detailed in the source, but network-level filtering of malicious HTTP requests targeting the SolrSearch endpoint might temporarily reduce risk until patching.
## Detection
- Indicators of Compromise (IoCs): Requests containing base64-encoded Groovy code targeting the `XWiki SolrSearch` endpoint. Observed payloads include scripts attempting to execute `cat /etc/passwd`.
- Detection methods and tools: Host-based intrusion detection systems (HIDS) or web application firewalls (WAFs) configured to inspect traffic payloads for known injection patterns, particularly Groovy code execution attempts via HTTP GET requests. Blocking known C2/payload servers associated with RondoDox is also recommended.
## References
- CISA Known Exploited Vulnerabilities Catalog: http://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24893
- VulnCheck Analysis: https://www.vulncheck.com/blog/xwiki-under-increased-attack
- Fortinet RondoDox Documentation: https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat