A crucial safety flaw is being actively exploited by cybercriminals to compromise company XWiki servers for cryptomining. That is an pressing menace concentrating on unpatched installations of the open-source documentation software program, which is broadly utilized by firms to handle and share inside paperwork.
The flaw, tracked as CVE-2025-24893 and recognized inside XWiki’s Solr Search function, is a extreme Distant Code Execution (RCE) vulnerability that provides attackers full management of your server while not having a password.
Whereas this flaw has been identified since March 2025, new analysis from VulnCheck confirms it’s now being actively used within the wild. The total particulars of this new wave of assaults had been printed by VulnCheck on October 28 and shared with Hackread.com.
The Exploit: A Flaw within the Search Bar
The assault makes use of a easy however extremely efficient trick. Hackers ship a poisoned search request to a particular internet tackle on the XWiki server: /xwiki/bin/get/Fundamental/SolrSearch. As a substitute of a traditional question, they cover malicious instructions inside the request. As a result of the Solr Search function is badly configured, it treats these instructions as authentic server directions and executes them, immediately granting the attacker unauthorised entry.
The Two-Step Assault Chain
Utilizing their detection instruments, VulnCheck researchers captured all the assault chain, confirming it’s a two-step course of designed to put in a coin-mining program, a course of referred to as cryptojacking. The preliminary assault site visitors was traced again to an IP tackle in Vietnam, with exploitation makes an attempt logged as not too long ago as October 26, 2025.
“All assault site visitors originates from 123.25.249.88, an IP that geolocates to Vietnam and seems in a number of latest AbuseIPDB studies,” researchers defined within the weblog publish.
The assault sequence is break up into two phases. Section 1 begins by deploying a small downloader file to the server’s non permanent location. Then, after about 20 minutes, Section 2 executes the downloader, fetching extra malicious scripts from a secondary server hosted in the UK by Hydra Communications, utilizing a service known as switch.sh.
The ultimate stage installs the coinminer, tcrond, which is configured to connect with the c3pool.org mining community. The malware is even programmed to remove any competing miner software program to safe the server’s assets solely for the attackers.
VulnCheck’s analysis supplies important Indicators of Compromise (IoCs), together with the malicious IP addresses 123.25.249.88 and 193.32.208.24, for safety groups to detect and block this exercise.
Quick Motion: Patch Now
It’s essential to notice that CVE-2025-24893 (CVSS rating: 9.8) is at the moment NOT in CISA’s official KEV catalogue. VulnCheck researchers be aware that this highlights how “real-world exploitation typically precedes official recognition,” which implies organisations should act rapidly and never look forward to official authorities lists to verify the menace.
Your XWiki set up is susceptible whether it is operating:
- Any model prior to fifteen.10.11.
- Any model between 16.0.0-rc-1 and previous to 16.4.1.
The XWiki crew launched fixes in variations 15.10.11, 16.4.1, and 16.5.0RC1 (or newer) again in February 2025, particulars of which can be found right here.
