Most security teams know RondoDox as a relatively new botnet that loves edge devices, routers, DVRs and anything cheap, exposed and unpatched. Meanwhile, many teams treat their internal wiki as background noise. However, XWiki now sits in the crosshairs of the same campaign.
RondoDox operators added CVE-2025-24893, a critical eval injection flaw in XWiki, to their exploit arsenal. As a result, any internet-facing XWiki instance that still runs vulnerable versions can become one more node in a mining-focused botnet, and sometimes one more foothold inside a larger environment.
Therefore, security teams need to treat the wiki like any other internet-facing application, not as a harmless documentation engine.
๐๐ฉ๐-๐ฎ๐ฌ๐ฎ๐ฑ-๐ฎ๐ฐ๐ด๐ต๐ฏ: ๐ฃ๐ฟ๐ฒ-๐๐๐๐ต ๐๐๐ฎ๐น ๐๐ป๐ท๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ผ๐ป ๐ฆ๐ผ๐น๐ฟ๐ฆ๐ฒ๐ฎ๐ฟ๐ฐ๐ต
CVE-2025-24893 hits the XWiki Platformโs SolrSearch functionality. In affected versions, the application mishandles search parameters and evaluates attacker-controlled Groovy expressions in the context of the server. Because XWiki exposes SolrSearch to guest users, the flaw grants unauthenticated remote code execution to anyone who can reach the endpoint.
In practice, an attacker sends a crafted request against the SolrSearch macro (for example via a path such as /bin/get/Main/SolrSearch on vulnerable builds). The injected payload executes directly on the server, which means the adversary gains shell-level control with a single HTTP request.
XWiki maintainers fixed the issue in releases like 15.10.11, 16.4.1 and 16.5.0 RC1. However, many deployments lag behind because teams either forget the wiki or assume that limited external usage lowers risk. RondoDox now exploits that gap.
๐ฅ๐ผ๐ป๐ฑ๐ผ๐๐ผ๐ ๐๐ผ๐๐ป๐ฒ๐ ๐ฃ๐ฟ๐ผ๐ณ๐ถ๐น๐ฒ: ๐๐ฟ๐ผ๐บ ๐๐ฑ๐ด๐ฒ ๐๐ฒ๐๐ถ๐ฐ๐ฒ๐ ๐๐ผ ๐ช๐ถ๐ธ๐ถ ๐ฆ๐ฒ๐ฟ๐๐ฒ๐ฟ๐
Initially, researchers saw RondoDox focus on command-injection bugs in routers, DVRs and small-office network gear. Trend-style telemetry and later work from several vendors showed the botnet chaining more than fifty vulnerabilities across roughly thirty products to gain shell access, deploy multi-architecture binaries and run crypto-mining or DDoS tasks.
As the campaign matured, the operators treated XWiki as simply another internet-exposed service. They already scan large address ranges and maintain exploit modules for many CVEs, so adding SolrSearch eval injection cost them very little. However, the upside looks attractive: wiki servers usually sit on better hardware than CCTV boxes and often reach deeper into internal networks.
In addition, XWiki frequently runs with access to LDAP, SSO and internal data sources. Because of that, compromise of the wiki can set up lateral movement beyond โjustโ mining.
๐๐ ๐ฝ๐น๐ผ๐ถ๐ ๐๐ต๐ฎ๐ถ๐ป: ๐๐ฟ๐ผ๐บ ๐ฆ๐ฐ๐ฎ๐ป ๐๐ผ ๐ ๐ถ๐ป๐ฒ๐ฟ
RondoDox follows a straightforward exploit chain against XWiki:
First, scanners probe for XWiki fingerprints and version information. They look for characteristic response headers, paths and HTML signatures that distinguish XWiki from other Java web applications.
Next, they fire SolrSearch requests that carry malicious Groovy payloads in search parameters. Because vulnerable versions evaluate those expressions as part of the SolrSearch macro, the botnet gains code execution without any authentication.
Then, the operator pulls a small staging script. That script downloads and runs the main botnet binary plus a crypto-mining payload. VulnCheck canaries and other telemetry sources already show exactly this two-stage pattern: RCE via CVE-2025-24893 followed by coin-miner deployment.
Finally, the compromised server joins the RondoDox C2 infrastructure. It starts mining and remains ready for additional tasks such as scanning, DDoS or further exploitation of neighboring systems. Because the whole sequence rides on one HTTP endpoint, the attack surface looks small yet extremely powerful.
๐ง๐ถ๐บ๐ฒ๐น๐ถ๐ป๐ฒ: ๐๐ฟ๐ผ๐บ ๐๐ถ๐๐ฐ๐น๐ผ๐๐๐ฟ๐ฒ ๐๐ผ ๐๐๐ฉ ๐๐ป๐ฑ ๐๐ผ๐๐ป๐ฒ๐
XWiki maintainers disclosed and patched the eval injection earlier in 2025. Shortly after that, exploit proof-of-concepts appeared on GitHub, and Metasploit gained a dedicated module. Therefore, the vulnerability quickly moved from internal advisory to widely reproducible exploit.
By mid-year, research platforms and canary networks observed live exploitation of CVE-2025-24893 to drop miners, even before every major government list recognized it. Later, CISA added the XWiki eval injection to the Known Exploited Vulnerabilities catalog and required US federal agencies to remediate within tight deadlines.
However, KEV inclusion did not instantly fix private-sector deployments. Many organizations still treat the wiki as โjust documentation,โ not as part of critical attack surface. RondoDox profited from that blind spot and kept abusing unpatched servers even after the KEV entry went live.
๐ช๐ต๐ ๐ซ๐ช๐ถ๐ธ๐ถ ๐ ๐ฎ๐ธ๐ฒ๐ ๐ฎ ๐๐ผ๐ผ๐ฑ ๐๐ผ๐๐ป๐ฒ๐ ๐ง๐ฎ๐ฟ๐ด๐ฒ๐
XWiki often runs on well-provisioned application servers because teams expect it to handle internal traffic and search workloads. Consequently, a single compromise yields far more CPU power for mining than a random IoT camera.
Moreover, many deployments integrate XWiki with corporate identity providers, legacy content sources and automation glue. Attackers know that admin accounts sometimes
3 thoughts on “RondoDox Botnet Exploits XWiki CVE-2025-24893 on Servers”