A critical remote code execution (RCE) flaw in XWiki, a popular open-source wiki platform, was exploited in the wild to deploy cryptocurrency mining malware on compromised servers.
The vulnerability, tracked as CVE-2025-24893, allows unauthenticated attackers to inject malicious templates and execute arbitrary code, bypassing authentication entirely.
This discovery highlights the growing threat to web applications, where real-world attacks often outpace official alerts from bodies like CISA’s Known Exploited Vulnerabilities (KEV) catalog.
VulnCheck, a vulnerability intelligence firm, reported the exploitation based on data from their Canary network, which simulates vulnerable systems to detect attacks.
Unlike earlier reports from Cyble, Shadow Server, and CrowdSec that noted mere exploit attempts, VulnCheck’s observations reveal a sophisticated two-stage attack chain originating from an IP address in Vietnam.
The flaw, added to VulnCheck KEV in March 2025, involves template injection in XWiki’s SolrSearch endpoint, enabling attackers to run Groovy scripts for command execution.
This absence from CISA KEV underscores how exploitation can surge before formal recognition, leaving organizations exposed.
The Two-Stage Exploitation Process
The attack unfolds in two phases, separated by at least 20 minutes, to evade detection.
In the initial request, attackers send a URL-encoded GET to the SolrSearch endpoint, injecting an asynchronous Groovy payload that uses wget to download a downloader script named x640 from a command-and-control (C2) server at 193.32.208.24:8080.
This script saves to /tmp/11909 on the target system. The payload mimics legitimate browser traffic with a Firefox user agent to blend in.
Approximately 20 minutes later, a second request executes the staged file by invoking bash on /tmp/11909. The downloader then fetches two additional scripts, x521 and x522, piping them directly to bash for execution, VulnCheck said.
These scripts handle the payload delivery: x521 creates directories in /var/tmp, downloads the coinminer binary tcrond from the same C2, and sets executable permissions.
Meanwhile, x522 cleans the environment by killing competing miners like xmrig and kinsing, clears history logs, and launches tcrond with a configuration pointing to auto.c3pool.org on port 80.
The miner, UPX-packed for obfuscation, uses a Monero wallet address for payouts, indicating a low-sophistication but persistent operation.
All traffic traces back to 123.25.249.88, flagged in multiple AbuseIPDB reports for abusive activity.
Key Indicators
Defenders can use these indicators to hunt for similar activity across networks. The exploitation leverages transfer.sh for hosting payloads, a common tactic in cryptojacking campaigns.
| Indicator Type | Details |
|---|---|
| IP Addresses | 123.25.249.88 (Attacker, Vietnam); 193.32.208.24 (C2 Server) |
| File Hashes (SHA-256) | tcrond (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10; tcrond (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b; x521: de082aeb01d41dd81cfb79bc5bfa33453b0022ed; x522: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f; x640: 5abc337dbc04fee7206956dad1e0b6d43921a868 |
| CVSS Score | 9.8 (Critical) – Unauthenticated RCE via template injection in XWiki versions prior to 15.10.6 |
| Affected Products | XWiki Enterprise, XWiki Standard; Impacts web servers running vulnerable instances |
Organizations using XWiki should patch immediately to version 15.10.6 or later, monitor for anomalous wget traffic, and scan for these IOCs.
VulnCheck’s Canaries demonstrate the value of proactive threat intelligence in bridging gaps left by delayed official listings.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
