Key Findings:

• RondoDox botnet malware is targeting unpatched XWiki instances to exploit a critical remote code execution vulnerability (CVE-2025-24893).

• The vulnerability, with a CVSS score of 9.8, allows any guest user to execute arbitrary code through a request to the "/bin/get/Main/SolrSearch" endpoint.

• The flaw was patched by XWiki in versions 15.10.11, 16.4.1, and 16.5.0RC1 released in late February 2025.

• Evidence shows the vulnerability has been exploited in the wild since at least March 2025.

• The U.S. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply necessary mitigations by November 20.

• VulnCheck has observed a spike in exploitation attempts, with a new high on November 7 and another surge on November 11, indicating broader scanning and exploitation by multiple threat actors.

• RondoDox is one of the threat actors observed exploiting the flaw to add new devices to its botnet for conducting distributed denial-of-service (DDoS) attacks.

Background

The vulnerability in question, CVE-2025-24893, is an eval injection bug in the XWiki platform that could allow any guest user to perform arbitrary remote code execution. The flaw was discovered and patched by the XWiki maintainers in late February 2025, but exploitation in the wild has been observed since at least March 2025.

Exploitation by RondoDox Botnet

VulnCheck's analysis reveals that the RondoDox botnet has been actively exploiting the CVE-2025-24893 vulnerability to add new devices to its infrastructure. The first RondoDox exploit was observed on November 3, 2025, as part of the botnet's efforts to expand its reach.

Other Exploitation Attempts

In addition to RondoDox, VulnCheck has also observed other threat actors exploiting the vulnerability for various malicious purposes, including:

• Delivery of cryptocurrency miners

• Establishing reverse shells

• General probing activity using a Nuclei template for CVE-2025-24893

Importance of Timely Patching

The findings highlight the need for organizations to maintain robust patch management practices to ensure timely application of security updates. The rapid adoption of this vulnerability by multiple threat actors, including botnets, miners, and opportunistic scanners, underscores the importance of addressing such high-severity flaws as soon as possible.

Sources

• https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html

• https://techjacksolutions.com/rondodox-exploits-unpatched-xwiki-servers-to-pull-more-devices-into-its-botnetthe-hacker-newsinfothehackernews-com-the-hacker-news/

• https://www.reddit.com/r/InfoSecNews/comments/1oy6w9x/rondodox_exploits_unpatched_xwiki_servers_to_pull/

• https://x.com/TheCyberSecHub/status/1989734194533253137

• https://www.cypro.se/2025/11/15/rondodox-exploits-unpatched-xwiki-servers-to-pull-more-devices-into-its-botnet/