The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting XWiki Platform to its Known Exploited Vulnerabilities catalog, highlighting the urgent security threat posed by an eval injection flaw.
This vulnerability could allow any guest user to execute arbitrary remote code without authentication, representing a severe risk to organizations using the popular open-source wiki platform.
| Field | Details |
| CVE ID | CVE-2025-24893 |
| Affected Product | XWiki Platform |
| Vulnerability Type | Eval Injection |
| CVSS Score | Critical |
Critical Vulnerability Details
The vulnerability, identified as CVE-2025-24893, exists within XWiki Platform and stems from improper handling of eval functions in the SolrSearch component.
The flaw enables unauthenticated attackers to inject malicious code through specially crafted requests, bypassing security restrictions and gaining complete control over affected systems.
The vulnerability has been classified under CWE-95, which covers the broad category of improper neutralization of directives in dynamically evaluated code.
What makes this vulnerability particularly dangerous is its accessibility to guest users. Organizations typically implement guest access to allow public viewing of wiki content without authentication.
Attackers can exploit this trust model by crafting malicious requests that leverage the eval injection flaw to execute arbitrary commands on the server.
Once code execution is achieved, attackers gain the same privileges as the web server process, potentially allowing them to compromise sensitive data, install malware, or use the server as a launching point for further attacks within the network infrastructure.
CISA has issued specific guidance for organizations using XWiki Platform, setting a deadline of November 20, 2025, for remediation efforts.
The agency recommends immediate implementation of vendor-provided mitigations, which typically involve applying security patches released by the XWiki development team.
Organizations operating cloud-based instances should also follow guidance outlined in Binding Operational Directive (BOD) 22-01, which establishes requirements for managing vulnerabilities in cloud services.
For organizations unable to apply patches immediately due to operational constraints or compatibility issues, CISA advises discontinuing use of XWiki Platform until comprehensive remediation is possible.
This aggressive stance underscores the severity of the vulnerability and the potential consequences of leaving systems exposed to exploitation.
While CISA has not confirmed active exploitation in ransomware campaigns at this time, the vulnerability’s severity and ease of exploitation suggest threat actors will likely target organizations that fail to implement timely fixes.
Ransomware groups and other advanced adversaries frequently monitor CISA advisories for newly disclosed vulnerabilities and rapidly develop exploit code to increase their attack surface.
Organizations should prioritize inventory assessment to identify all XWiki Platform deployments within their infrastructure, including development, testing, and production environments.
Even instances believed to be isolated or internal-facing can serve as entry points for sophisticated attackers who gain initial network access through other means.
Security teams should contact XWiki support for available patch information and establish testing procedures for patch deployment in non-production environments before rolling out updates to critical systems.
Organizations should also implement network segmentation to limit potential lateral movement if exploitation occurs before patches can be applied.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.