A sharp increase in attacks targeting a critical vulnerability in XWiki servers. Multiple threat actors are actively exploiting CVE-2025-24893 to deploy botnets and coin miners, and to establish unauthorized server access across the internet.
Since the initial discovery on October 28, 2025, exploitation has expanded dramatically. VulnCheck reported that multiple independent attackers are now actively targeting the vulnerability.
Ranging from automated botnets to sophisticated actors using custom tooling and specialized scanners. Within just two days of the first report, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its Known Exploited Vulnerabilities catalog on October 30, 2025.
Since then, canary security systems have seen a big increase in scanning and attack attempts. The group of attackers is wide and includes many different types of hackers.
Rapid Exploitation Expansion
On November 3, 2025, the RondoDox botnet began incorporating this vulnerability into its attack arsenal, leading to a sharp increase in exploitation attempts.
These attacks are identifiable by their distinctive HTTP User-Agent signatures and payload naming conventions.
| CVE ID | Vulnerability Type | Affected Software |
|---|---|---|
| CVE-2025-24893 | Remote Code Execution (RCE) | XWiki |
Cryptocurrency mining operations have also joined the wave of exploitation. Multiple coin miner campaigns have been detected fetching secondary payloads from compromised servers.
VulnCheck researchers observed attackers downloading hidden scripts that ultimately deploy cryptocurrency mining software on vulnerable XWiki installations.
More concerning are the reverse shell attempts, indicating potential hands-on-keyboard activity. VulnCheck researchers identified several attempts to establish direct command-and-control connections.
Including one attack from an AWS-associated IP address with no prior abuse history, suggesting more targeted operations beyond automated scanning.
The vulnerability allows attackers to execute arbitrary code on internet-exposed XWiki servers through specially crafted requests to the SolrSearch endpoint.
Attackers exploit the Groovy scripting functionality to download and execute malicious payloads, ranging from botnet recruitment scripts to cryptocurrency miners.
VulnCheck analysts have documented attacks originating from numerous IP addresses across different countries, with payload hosting servers frequently changing locations.
The exploitation techniques include direct payload execution, multi-stage infection chains, and hidden shell scripts designed to evade detection.
By the time CISA added the vulnerability to its catalog, attackers were already days ahead of defenders. This highlights a critical gap between initial exploitation and widespread visibility.
Organizations using Canary Intelligence and early warning systems gained crucial time to patch and defend before attacks became widespread.
VulnCheck Security teams should monitor for unusual requests to XWiki’s SolrSearch functionality, unexpected outbound connections from XWiki servers, and any signs of cryptocurrency mining or botnet activity.
Organizations running XWiki installations should immediately apply available security patches and review server logs for indicators of compromise.
Network segmentation and restricting internet exposure of XWiki servers can significantly reduce the attack surface. It is also recommended to add security rules that can spot attacks using the CVE-2025-24893 bug.
The rapid adoption of this vulnerability by multiple threat actor groups underscores the importance of early detection and immediate patching.
Defenders who wait for official advisories are already behind the curve of exploitation, making proactive security monitoring essential in today’s threat landscape.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
