Find notable cyber news and cases, enriched with sources, timelines, and signals.

XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)

Vulnerability
First reported
Last updated
Happening score
H score 56
3 unique sources, 3 articles

Summary

Hide ▲

The XWiki eval injection flaw CVE-2025-24893 is being actively exploited, putting exposed servers at risk of remote code execution via /bin/get/Main/SolrSearch. Attackers are chaining the bug into a two-stage workflow that drops a downloader and ultimately installs a cryptocurrency miner. VulnCheck said it observed exploitation attempts against XWiki canaries, and real-world abuse has been reported since March 2025. Users should apply updates as soon as possible to reduce exposure.

Cases

Related Happenings

Everest Forms Pro CVE-2026-3300 active exploitation wave

Exploitation Wave
H score87 First: 05.06.2026 11:38 Last: 05.06.2026 11:38 Sources 1

About this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
H score75 First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

CISA Apache ActiveMQ CVE-2026-34197 mitigation order

Advisory/Mitigation
H score71 First: 21.04.2026 14:17 Last: 21.04.2026 14:17 Sources 1

About this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...

Timeline

  1. 29.10.2025 09:44 3 articles · 8mo ago

    VulnCheck reports active exploitation of XWiki CVE-2025-24893

    Technical Analysis Update

    VulnCheck said attackers are actively exploiting XWiki CVE-2025-24893, an eval injection flaw that can allow arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. The observed abuse targeted XWiki canaries from an attacker geolocated in Vietnam and used a two-stage workflow: wget retrieved the downloader "x640" from "193.32.208[.]24:8080" and wrote it to "/tmp/11909", then follow-on payloads "x521" and "x522" fetched a cryptocurrency miner, killed competing miners such as XMRig and Kinsing, and launched the miner with a c3pool.org configuration.

    Show sources