A critical security flaw is being actively exploited by cybercriminals to compromise corporate XWiki servers for cryptomining. This is an urgent threat targeting unpatched installations of the open-source documentation software, which is widely used by companies to manage and share internal documents.
The flaw, tracked as CVE-2025-24893 and identified within XWiki’s Solr Search feature, is a severe Remote Code Execution (RCE) vulnerability that gives attackers full control of your server without needing a password.
While this flaw has been known since March 2025, new research from VulnCheck confirms it is now being actively used in the wild. The full details of this new wave of attacks were published by VulnCheck on October 28 and shared with Hackread.com.
The Exploit: A Flaw in the Search Bar
The attack uses a simple but highly effective trick. Hackers send a poisoned search request to a specific web address on the XWiki server: /xwiki/bin/get/Main/SolrSearch. Instead of a normal query, they hide malicious commands within the request. Because the Solr Search feature is improperly configured, it treats these commands as legitimate server instructions and executes them, instantly granting the attacker unauthorised access.
The Two-Step Attack Chain
Using their detection tools, VulnCheck researchers captured the entire attack chain, confirming it is a two-step process designed to install a coin-mining program, a process known as cryptojacking. The initial attack traffic was traced back to an IP address in Vietnam, with exploitation attempts logged as recently as October 26, 2025.
“All attack traffic originates from 123.25.249.88, an IP that geolocates to Vietnam and appears in several recent AbuseIPDB reports,” researchers explained in the blog post.
The attack sequence is split into two phases. Phase 1 begins by deploying a small downloader file to the server’s temporary location. Then, after about 20 minutes, Phase 2 executes the downloader, fetching additional malicious scripts from a secondary server hosted in the United Kingdom by Hydra Communications, using a service called transfer.sh.
The final stage installs the coinminer, tcrond, which is configured to connect to the c3pool.org mining network. The malware is even programmed to eliminate any competing miner software to secure the server’s resources entirely for the attackers.
VulnCheck’s research provides essential Indicators of Compromise (IoCs), including the malicious IP addresses 123.25.249.88 and 193.32.208.24, for security teams to detect and block this activity.
Immediate Action: Patch Now
It’s important to note that CVE-2025-24893 (CVSS score: 9.8) is currently NOT in CISA’s official KEV catalogue. VulnCheck researchers note that this highlights how “real-world exploitation often precedes official recognition,” which means organisations must act quickly and not wait for official government lists to confirm the threat.
Your XWiki installation is vulnerable if it is running:
- Any version prior to 15.10.11.
- Any version between 16.0.0-rc-1 and prior to 16.4.1.
The XWiki team released fixes in versions 15.10.11, 16.4.1, and 16.5.0RC1 (or newer) back in February 2025, details of which are available here.
