RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet
Summary:
CVE-2025-24893 is a critical remote code execution flaw impacting XWiki, an open-source Wiki platform. XWiki includes a macro called SolrSearch that facilitates full-text search through the embedded Solr engine. The vulnerability arises due to the way SolrSearch endpoint improperly handles Groovy expressions inside search queries. By manipulating parameters in a specifically crafted request, an actor can execute arbitrary Groovy code remotely, without authentication.
On October 30, 2025, CISA added CVE-2025-24893 to its known exploited vulnerabilities catalog. Since then, VulnCheck’s Canary Intelligence has observed an uptick in scanning and exploitation attempts. VulnCheck notes that multiple attackers are actively targeting CVE-2025-24893. This includes RondoDox, which has added CVE-2025-24893 to its arsenal to rope vulnerable devices into a botnet — the first RondoDox exploit was observed on November 3, 2025.
"These attacks are easily attributed to RondoDox based on its well-known HTTP User-Agent and secondary payload naming convention (rondo.<value>.sh). The associated payload servers are also well documented. For example, 74[.]194[.]191[.]52 can be seen below in a RondoDox exploitation of CVE-2025-24893,” noted VulnCheck in its blog post.
In addition to RondoDox, other actors are exploiting the flaw to deliver cryptocurrency miners and issue reverse shell commands, enabling remote access to targeted systems.
Security Officer Comments:
Since many XWiki instances expose the SolrSearch endpoint to the internet, if left unpatched, actors could easily exploit the flaw to download and execute malicious payloads. CVE-2025-24893 was patched by the maintainers of XWiki back in February 2025, but we are still seeing exploitation attempts in the wild. With RondoDox actively exploiting CVE-2025-24893, the number of compromised devices incorporated into the botnet continues to increase, which are inadvertently used to launch further attacks such as denial of service, credential stuffing, brute forcing, and much more.
Suggested Corrections:
CVE-2025-24893 was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0-RC1. Organizations running XWiki installations should immediately apply the patches and restrict the internet exposure of XWiki servers to reduce the overall attack surface.
Link(s):
https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html
CVE-2025-24893 is a critical remote code execution flaw impacting XWiki, an open-source Wiki platform. XWiki includes a macro called SolrSearch that facilitates full-text search through the embedded Solr engine. The vulnerability arises due to the way SolrSearch endpoint improperly handles Groovy expressions inside search queries. By manipulating parameters in a specifically crafted request, an actor can execute arbitrary Groovy code remotely, without authentication.
On October 30, 2025, CISA added CVE-2025-24893 to its known exploited vulnerabilities catalog. Since then, VulnCheck’s Canary Intelligence has observed an uptick in scanning and exploitation attempts. VulnCheck notes that multiple attackers are actively targeting CVE-2025-24893. This includes RondoDox, which has added CVE-2025-24893 to its arsenal to rope vulnerable devices into a botnet — the first RondoDox exploit was observed on November 3, 2025.
"These attacks are easily attributed to RondoDox based on its well-known HTTP User-Agent and secondary payload naming convention (rondo.<value>.sh). The associated payload servers are also well documented. For example, 74[.]194[.]191[.]52 can be seen below in a RondoDox exploitation of CVE-2025-24893,” noted VulnCheck in its blog post.
In addition to RondoDox, other actors are exploiting the flaw to deliver cryptocurrency miners and issue reverse shell commands, enabling remote access to targeted systems.
Security Officer Comments:
Since many XWiki instances expose the SolrSearch endpoint to the internet, if left unpatched, actors could easily exploit the flaw to download and execute malicious payloads. CVE-2025-24893 was patched by the maintainers of XWiki back in February 2025, but we are still seeing exploitation attempts in the wild. With RondoDox actively exploiting CVE-2025-24893, the number of compromised devices incorporated into the botnet continues to increase, which are inadvertently used to launch further attacks such as denial of service, credential stuffing, brute forcing, and much more.
Suggested Corrections:
CVE-2025-24893 was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0-RC1. Organizations running XWiki installations should immediately apply the patches and restrict the internet exposure of XWiki servers to reduce the overall attack surface.
Link(s):
https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html