The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe injection vulnerability in the XWiki Platform, designated as CVE-2025-24893.
This flaw allows unauthenticated attackers to execute arbitrary remote code, posing significant risks to organizations using the open-source wiki software.
Discovered and actively exploited, the vulnerability underscores the dangers of eval injection in web applications, particularly those handling search functionalities.
XWiki, a popular platform for collaborative content management, suffers from this eval injection issue in its SolrSearch feature. Attackers can exploit it without logging in, potentially compromising entire installations.
CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 30, 2025, emphasizing the need for immediate action amid reports of real-world exploitation.
While it’s unclear if ransomware groups are leveraging it specifically, the flaw’s severity aligns with tactics seen in broader campaigns targeting content management systems.
Vulnerability Mechanics and Impact
At its core, CVE-2025-24893 stems from improper handling of user input in the SolrSearch endpoint, classified under CWE-95 for improper neutralization of directives in dynamically evaluated code. Any guest user can send a crafted request to trigger code execution.
For instance, a simple test involves accessing the SolrSearch RSS feed with a payload like %7D%7D%7D%7B%7Basync async=false%7D%7D%7B%7Bgroovy%7D%7Dprintln(“Hello from” + ” search text:” + (23 + 19))%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D. If the response includes “Hello from search text:42” in the RSS title, the instance is vulnerable.
The impact is devastating: complete remote code execution undermines confidentiality, integrity, and availability. Attackers could steal data, deploy malware, or pivot to other systems.
Affected versions include those prior to the patches, primarily impacting enterprise users in education, government, and corporate sectors who rely on XWiki for internal knowledge bases.
| CVE ID | Description | Affected Products/Versions | CVSS 3.1 Score | CWE | Exploitation Status |
|---|---|---|---|---|---|
| CVE-2025-24893 | Eval injection in SolrSearch allowing arbitrary RCE | XWiki Platform < 15.10.11, < 16.4.1, < 16.5.0RC1 | 9.8 (Critical) | CWE-95 | Actively exploited in the wild |
Mitigations
CISA urges users to promptly apply vendor mitigations, adhere to Binding Operational Directive 22-01 for cloud services, or discontinue use of the product if patches are unavailable.
XWiki has released fixes in versions 15.10.11, 16.4.1, and 16.5.0RC1, which sanitize inputs and prevent eval execution.
As a temporary workaround, administrators can modify the Main.SolrSearchMacros file, specifically line 955, to enforce an application/xml content type for the rawResponse macro, mirroring the template’s secure output handling.
This blocks malicious payloads without a full upgrade. Organizations should also monitor logs for suspicious SolrSearch requests and restrict guest access where possible.
This incident highlights the ongoing threats to legacy web platforms. With exploitation confirmed, swift patching remains critical to safeguard sensitive environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
