A malware botnet known as RondoDox has been observed actively targeting unpatched XWiki instances by leveraging a critical security flaw that enables attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893, a severe $\text{eval}$ injection bug with a CVSS score of 9.8. This flaw permits any guest user to perform arbitrary remote code execution simply by sending a request to the /bin/get/Main/SolrSearch edpoint. Maintainers addressed the issue in late February 2025, releasing patches in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1.
There was evidence that this shortcoming had been actively exploited in the wild since at least March 2025. However, it wasn’t until late October that the cybersecurity firm VulnCheck publicly disclosed that they had observed fresh attempts to weaponize the flaw as part of a two-stage attack chain designed to deploy a cryptocurrency miner. This discovery prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This addition mandated that federal agencies apply the necessary mitigations by a deadline of November 20.
In a recent report published on Friday, VulnCheck revealed a spike in exploitation attempts since the initial reports, hitting a new high on November 7, followed by another significant surge on November 11. This pattern strongly suggests a broader scanning activity for vulnerable systems, likely driven by a collective effort involving multiple threat actors. This highlights an increased and sustained interest in compromising the unpatched XWiki installations.
One of the actors involved is RondoDox, a botnet that is rapidly incorporating new exploitation vectors to enroll susceptible devices into its network. The resulting botnet is then used to conduct distributed denial-of-service (DDoS) attacks utilizing HTTP, UDP, and TCP protocols. According to the cybersecurity company, the first RondoDox exploit related to this XWiki vulnerability was observed on November 3, 2025. This botnet is quickly becoming a major threat vector leveraging newly disclosed flaws.
Besides RondoDox, other observed attacks have involved exploiting the flaw to deliver various payloads, including additional cryptocurrency miners. Furthermore, analysts have noted attempts to establish a reverse shell for persistent access and general probing activity using a Nuclei template specifically developed for CVE-2025-24893. These findings collectively underscore the critical need for organizations to adopt robust patch management practices to ensure optimal protection against immediate and evolving threats, as one initial attacker is often quickly followed by many others seeking to leverage the same vulnerability.
Reference:
