Vulnerability
XWiki CVE-2025-24893 exploitation and miner deployment
Updated 18.11.2025 00:41
Case score 63
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 63
- Main story score
- 63
- Related evidence lift
- +0 / 20
- Contributing updates
- 0
- Context updates
- 0
Top contributors
- Vulnerability Active exploitation of **XWiki CVE-2025-24893** with remote code execution and miner deployment. main
Case score 63
Members 1
Latest activity 18.11.2025 00:41
Active exploitation
Public PoC/exploit reported
CVSS: 9.8 Critical
Members 1
First seen 29.10.2025 09:44
Last seen 29.10.2025 09:44
Updated 18.11.2025 00:41
Overview
**CVE-2025-24893** in **XWiki** is under active exploitation through requests to **/bin/get/Main/SolrSearch**, giving attackers remote code execution on exposed servers. Observed abuse uses an eval-injection weakness to stage a downloader, then a miner payload that kills competing miners and runs after a delay. VulnCheck reported canary hits, and CrowdSec and Cyble said exploitation was already underway by **March 2025**.
CISA added the flaw to the KEV catalog and set a remediation due date of **2025-11-20**. Available evidence points to live cryptomining activity rather than isolated testing, but the broader scale of compromise is not known.
Attackers are actively exploiting **CVE-2025-24893** in **XWiki** to reach arbitrary remote code execution through the **/bin/get/Main/SolrSearch** endpoint. The flaw is an eval-injection issue caused by improper neutralization of input in a dynamic evaluation call. VulnCheck reported exploitation attempts against XWiki canaries.
CrowdSec and Cyble said abuse had already been seen by **March 2025**. The observed intrusion chain is two-stage: the first pass drops a downloader, and a later pass executes it after at least **20 minutes**. That downloader fetches follow-on payloads that install a cryptocurrency miner and kill competing miners such as **XMRig** and **Kinsing**. CISA added **CVE-2025-24893** to the KEV catalog with a remediation due date of **2025-11-20**, and exposed XWiki instances should be updated or mitigated immediately. The broader scale of compromise remains unknown, but exposed servers that allow requests to the affected endpoint can be turned into miner hosts.
Signals
6 derivedExploitation
Exploitation
Active exploitation
CVSS
9.8 Critical
Exploit
Public PoC/exploit reported
CVEs/products
CVE
Threat context
Malware
Tooling
Malware context
2 families · 2 toolsTools
wget
XMRig
Member happenings
1 related
Vulnerability
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical
Vulnerability
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical