XWiki cryptocurrency miner deployment via two-pass exploitation
Malware Activity
Summary
Hide ▲
Show ▼
The XWiki exploit activity is now installing a cryptocurrency miner, turning CVE-2025-24893 abuse into direct resource theft on exposed servers. Attackers are using a two-pass workflow in which the first stage writes a downloader to disk and the later stage executes it. The flaw enables remote, unauthenticated code execution through the SolrSearch macro, making unpatched deployments easy to abuse. Earlier reconnaissance and current mining activity show the exploitation is being reused operationally rather than tested once.
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
Vulnerability
First: 05.05.2026 14:56
Last: 05.05.2026 14:56
Sources 1
About this happening:
**CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
VulnerabilityAbout this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch Release
First: 30.04.2026 16:54
Last: 30.04.2026 16:54
Sources 1
About this happening:
**Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch ReleaseAbout this happening: **Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
Timeline
-
29.10.2025 12:53 2 articles · 7mo ago
CVE-2025-24893 exploitation deploys a cryptocurrency miner on XWiki
Exploitation ObservedVulnCheck says CVE-2025-24893 in XWiki has been exploited in the wild to deploy a low-end cryptocurrency miner against exposed XWiki servers. The observed abuse used the SolrSearch macro to reach remote unauthenticated code execution, and the exploitation proceeded in a two-pass workflow in which the first pass staged a downloader by writing a file to disk and the second pass executed it later; the attacker traffic was geolocated in Vietnam, and CrowdSec earlier this year also saw reconnaissance against the same vulnerability.
Show sources
- XWiki Vulnerability Exploited in Cryptocurrency Mining Operation — www.securityweek.com — 29.10.2025 12:53
- XWiki Vulnerability Exploited in Cryptocurrency Mining Operation — www.securityweek.com — 29.10.2025 12:53