Full Report
A critical security vulnerability in XWiki collaboration software is being actively exploited by threat actors to deploy cryptocurrency mining malware on vulnerable systems. The flaw, tracked as CVE-2025-24893, represents a serious threat to organizations running unpatched XWiki installations. Cybersecurity researchers at VulnCheck have captured concrete evidence of active exploitation through their canary network. CVE Details […] The post XWiki Remote Code Execution Flaw Actively Weaponized for Coinmining appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: XWiki Unauthenticated Remote Template Injection Used for Coinmining
## CVE Details
- CVE ID: CVE-2025-24893
- CVSS Score: Not explicitly stated, but described as **Critical**
- CWE: Unauthenticated Remote Template Injection
## Affected Systems
- Products: XWiki collaboration software
- Versions: Unpatched XWiki installations (Specific versions not detailed in the text)
- Configurations: Internet-facing installations accessing the vulnerable SolrSearch endpoint.
## Vulnerability Description
A critical, unauthenticated Remote Template Injection vulnerability exists within the XWiki SolrSearch endpoint. Attackers send a crafted, URL-encoded request to this endpoint to execute remote commands. This vulnerability facilitates a sophisticated two-stage attack chain leading to the deployment of cryptocurrency mining malware.
## Exploitation
- Status: **Exploited in the wild** (Concrete evidence captured by VulnCheck)
- Complexity: Not explicitly stated, but the multi-stage nature suggests an attacker needs some effort, though the initial injection is unauthenticated.
- Attack Vector: **Network** (Remote, requires sending crafted HTTP requests).
## Impact
Threat actors are successfully deploying cryptocurrency mining malware (`tcrond`), hijacking system resources for illegal mining operations connected to `c3pool.org`.
- Confidentiality: High (Potential for data access via RCE)
- Integrity: High (Arbitrary code execution grants full system control)
- Availability: High (System resources consumed by mining operations; potential for service disruption)
## Remediation
### Patches
- **Update to patched versions of XWiki:** Organizations must update their XWiki installations immediately (Specific patched version numbers are not provided in this summary, refer to official XWiki advisories).
### Workarounds
1. **Block Malicious Infrastructure:** Network administrators should immediately block communication with the identified malicious IP addresses: `193.32.208.24` (C2/Payload hosting via transfer.sh) and `123.25.249.88` (Primary attack infrastructure).
2. **Restrict Access:** Limit external access to the XWiki SolrSearch endpoint if possible, as the flaw is remote and unauthenticated.
## Detection
- **Indicators of Compromise (IOCs):**
- Network connections attempting to reach `c3pool.org`.
- Presence of files/processes related to the mining malware, specifically `tcrond`.
- Communications originating from attack IPs: `193.32.208.24` and `123.25.249.88`.
- Suspicious scripts being downloaded/executed from `/tmp` directories.
- **Detection Methods and Tools:**
- Monitor system logs for unusual commands executed via the SolrSearch endpoint.
- Search for file hashes associated with the UPX-packed mining malware campaign.
- Implement endpoint detection and response (EDR) to detect termination of competitive mining processes or disabling of bash history logging.
## References
- Vendor Advisories: Check official XWiki security notifications for the specific patch release.
- Relevant Links:
- Research by VulnCheck: hxxps://www.vulncheck.com/blog/xwiki-cve-2025-24893-eitw
- CVE lookup source: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-24893