CVE-2025-24893: XWiki Zero-Day Exploited by RondoDox Botnet and Cryptominers

The recent surge in activity surrounding an XWiki vulnerability underscores how swiftly weaknesses in widely used platforms can be transformed into launchpads for large-scale attacks. The unfolding pattern makes clear that once the first successful intrusions are observed, multiple threat actors join the fray, and the scope of the danger expands by the day.

The issue stems from CVE-2025-24893, rated 9.8 on the CVSS scale. This flaw allows an unauthenticated guest user to execute arbitrary code remotely by invoking “/bin/get/Main/SolrSearch.” Developers patched the vulnerability in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 at the end of February 2025. Nevertheless, a number of servers continue to run outdated builds, leaving the door open for unauthorized access. Initial confirmations of exploitation appeared in the spring, and by late October, VulnCheck reported new attack chains leveraging the flaw to deploy a cryptominer.

Shortly thereafter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its catalog of actively exploited vulnerabilities and required federal agencies to apply security updates by November 20. Against this backdrop, VulnCheck recorded a sharp rise in malicious activity: a peak on November 7, followed by another spike on the 11th. This trend reflects an expanding circle of attackers simultaneously scanning the internet for exposed targets.

One of the competitors in this race is the RondoDox botnet, known for its eagerness to adopt new exploitation techniques to broaden its network of compromised devices. Since late October, it has been abusing the XWiki flaw to pull vulnerable servers into an infrastructure used for HTTP, UDP, and TCP DDoS attacks. The first attempts were observed on November 3. In parallel, other groups have been exploiting the same weakness to install miners, establish reverse shells, and harvest configuration data, relying in part on Nuclei templates to identify suitable targets.

This situation illustrates how quickly a single vulnerability can be weaponized by multiple, unrelated threat actors. The VulnCheck investigation emphasizes that once the first successful intrusion occurs, botnets, miners, and automated scanners rapidly join in, acting independently yet simultaneously. In such an environment, keeping server software fully up to date remains the only truly reliable means of reducing risk.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy