Vulnerability
XWiki CVE-2025-24893 exploitation and miner deployment
Updated 18.11.2025 00:41
Case score 63
Score breakdown
- Total
- 63
- Lead score
- 63
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 0
Top contributors
- Vulnerability Active exploitation of **XWiki CVE-2025-24893** with remote code execution and miner deployment. base
Case score 63
Members 1
Latest activity 18.11.2025 00:41
Active exploitation
Public PoC/exploit reported
CVSS: 9.8 Critical
Active exploitation
Public PoC/exploit reported
CVSS: 9.8 Critical
Members 1
First seen 29.10.2025 09:44
Last seen 29.10.2025 09:44
Updated 18.11.2025 00:41
Overview
**CVE-2025-24893** in **XWiki** is under active exploitation through requests to **/bin/get/Main/SolrSearch**, giving attackers remote code execution on exposed servers. Observed abuse uses an eval-injection weakness to stage a downloader, then a miner payload that kills competing miners and runs after a delay. VulnCheck reported canary hits, and CrowdSec and Cyble said exploitation was already underway by **March 2025**.
CISA added the flaw to the KEV catalog and set a remediation due date of **2025-11-20**. Available evidence points to live cryptomining activity rather than isolated testing, but the broader scale of compromise is not known.
Attackers are actively exploiting **CVE-2025-24893** in **XWiki** to reach arbitrary remote code execution through the **/bin/get/Main/SolrSearch** endpoint. The flaw is an eval-injection issue caused by improper neutralization of input in a dynamic evaluation call. VulnCheck reported exploitation attempts against XWiki canaries.
CrowdSec and Cyble said abuse had already been seen by **March 2025**. The observed intrusion chain is two-stage: the first pass drops a downloader, and a later pass executes it after at least **20 minutes**. That downloader fetches follow-on payloads that install a cryptocurrency miner and kill competing miners such as **XMRig** and **Kinsing**. CISA added **CVE-2025-24893** to the KEV catalog with a remediation due date of **2025-11-20**, and exposed XWiki instances should be updated or mitigated immediately. The broader scale of compromise remains unknown, but exposed servers that allow requests to the affected endpoint can be turned into miner hosts.