CVE-2025-24893

ENISA EUVD: EUVD-2025-4562 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 3 articles Published: 2025-02-20

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

93.75%

probability

This CVE has a 93.75% probability of being exploited in the next 30 days.

0% Top 99.9th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

Affected Products

xwiki

xwiki-platform

>= 5.3-milestone-2, < 15.10.11 >= 16.0.0-rc-1, < 16.4.1

xwiki

xwiki-platform

5.3-milestone-2, < 15.10.11

xwiki

xwiki-platform

16.0.0-rc-1, < 16.4.1

Attack Intelligence

CWE-664 · Improper Control of a Resource Through its Lifetime CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-913 · Improper Control of Dynamically-Managed Code Resources CWE-94 · Code Injection CWE-95 · Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Exploits & PoC

gunzf0x/CVE-2025-24893

PoC for CVE-2025-24893: XWiki' Remote Code Execution exploit for versions prior to 15.10.11, 16.4.1 and 16.5.0RC1.

21 2025-08-22

dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC

CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper

16 2025-08-04

iSee857/CVE-2025-24893-PoC

XWiki SolrSearchMacros 远程代码执行漏洞PoC（CVE-2025-24893）

11 2025-04-01

b0ySie7e/CVE-2025-24893

11 2025-09-03

Infinit3i/CVE-2025-24893

PoC exploits CVE-2025-24893 , a remote code execution (RCE) vulnerability in XWiki caused by improper sandboxing in Groovy macros rendered asynchronou

6 2025-09-02

Hex00-0x4/CVE-2025-24893-XWiki-RCE

This vulnerability could allow a malicious user to execute remote code by sending appropriately crafted requests to the default search engine SolrSear

6 2025-08-08

AliElKhatteb/CVE-2024-32019-POC

this is a poc for the CVE-2025-24893

5 2025-08-03

hackersonsteroids/cve-2025-24893

Modified exploit for CVE-2025-24893

5 2025-08-03

D3Ext/CVE-2025-24893

POC exploit for CVE-2025-24893

4 2025-08-09

nopgadget/CVE-2025-24893

3 2025-08-02

570RMBR3AK3R/xwiki-cve-2025-24893-poc

PoC for CVE-2025-24893

3 2025-08-06

Artemir7/CVE-2025-24893-EXP

2 2025-05-05

torjan0/xwiki_solrsearch-rce-exploit

Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell.

2 2025-11-29

IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform.

1 2025-08-07

Th3Gl0w/CVE-2025-24893-POC

1 2025-08-09

x0da6h/POC-for-CVE-2025-24893

Some poorly crafted exploit scripts

1 2025-09-20

80Ottanta80/CVE-2025-24893-PoC

XWiki Unauthenticated RCE Exploit for Reverse Shell

1 2025-11-11

BreakingRohit/CVE-2025-24893-PoC

Proof of Concept for CVE-2025-24893 demonstrating unauthenticated remote command execution in XWiki through unsafe server-side template evaluation.

1 2025-12-28

dhiaZnaidi/CVE-2025-24893-PoC

0 2025-08-03

AzureADTrent/CVE-2025-24893-Reverse-Shell

Reverse Shell Payload for CVE-2025-24893

0 2025-08-03

gmh5225/CVE-2025-24893-RCE-PoC

This is a small script for the rce vulnerability for CVE-2025-24893. It supports basic input/output

0 2025-08-03

zs1n/CVE-2025-24893

PoC | XWiki Platform 15.10.10 - Remote Code Execution

0 2025-08-05

investigato/cve-2025-24893-poc

Proof-of-Concept exploit for CVE-2025-24893, an unauthenticated Remote Code Execution (RCE) vulnerability in XWiki. Exploits a template injection fla

0 2025-08-07

mah4nzfr/CVE-2025-24893

Bash POC script for RCE vulnerability in XWiki Platform

0 2025-08-31

The-Red-Serpent/CVE-2025-24893

POC

0 2025-08-08

alaxar/CVE-2025-24893

XWiki 15.10.11, 16.4.1 and 16.5.0RC1 Unauthenticated Remote code execution POC

0 2025-08-08

Retro023/CVE-2025-24893-POC

A POC for CVE-2025-24893 written in python

0 2026-01-26

CMassa/CVE-2025-24893

PoC exploit for XWiki Remote Code Execution Vulnerability (CVE-2025-24893)

0 2025-08-15

ibadovulfat/CVE-2025-24893

A critical remote code execution (RCE) vulnerability (CVE‑2025‑24893) exists in the XWiki Platform, specifically in the SolrSearch RSS feed endpoint.

0 2026-01-01

andwati/CVE-2025-24893

0 2025-09-05

Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893

CVE-2025-24893 RCE exploit for XWiki with reverse shell capability

0 2025-09-10

0xDTC/XWiki-Platform-RCE-CVE-2025-24893

0 2025-12-03

o0wo0o/CVE-2025-24893_Shell

0 2025-12-15

TomKingori/xwiki-cve-2025-24893-exploit

Unauthenticated RCE exploit for XWiki CVE-2025-24893 via Groovy script injection

0 2026-01-09

nohack1212/CVE-2025-24893-

CVE-2025-24893 | Vulnérabilité d'exécution de code à distance sur la plateforme XWiki (preuve de concept)

0 2026-01-26

rippsec/CVE-2025-24893-XWiki-SSTI-RCE

CVE-2025-24893 – XWiki SSTI unauthenticated RCE exploit (HackTheBox CTF)

0 2026-04-16

36 repos — triés par ⭐ Rechercher sur GitHub ↗

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/67021db9b8ed26c2236a653269302a86bf01ef40

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/blob/568447cad5172d97d6bbcfda9f6183689c2cf086/xwiki-platform-core/xwiki-platform-search/xwiki-platform-search-solr/xwiki-platform-search-solr-ui/src/main/resources/Main/SolrSearchMacros.xml#L955

x_refsource_MISC

https://github.com/xwiki/xwiki-platform/blob/67021db9b8ed26c2236a653269302a86bf01ef40/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm#L2824

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22149

x_refsource_MISC

Signal Intelligence

Confidenceⓘ

92%

EPSS 93.75%

CVSS v3.1 9.8

Mentions 3

Last Seen Jan 01, 2026

CNA Information

CNA Assigner

GitHub_M

CNA Title

Remote code execution as guest via SolrSearchMacros request in xwiki

Analyst Note

CVE-2025-24893 shows clear zero-day characteristics: published 2025-02-20, actively exploited in the wild by RondoDox botnet targeting unpatched XWiki instances within weeks of disclosure, and explicitly named in CISA alerts as 'under attack'. The very short window between publication and documented exploitation, combined with critical CVSS 9.8 severity and active threat actor targeting, confirms zero-day status.

Threat Actors 5

Cobalt

apt_group Financial crime 🇷🇺 RU

Hacking Team

apt_group 🇮🇹 IT

Red October

apt_group 🇷🇺 RU

Operation Red Signature

apt_group Information theft and espionage 🇨🇳 CN

Mana Team

apt_group 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateFeb 20, 2025