XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Vulnerability
Summary
Hide ▲
Show ▼
The XWiki eval injection flaw CVE-2025-24893 is being actively exploited, putting exposed servers at risk of remote code execution via /bin/get/Main/SolrSearch. Attackers are chaining the bug into a two-stage workflow that drops a downloader and ultimately installs a cryptocurrency miner. VulnCheck said it observed exploitation attempts against XWiki canaries, and real-world abuse has been reported since March 2025. Users should apply updates as soon as possible to reduce exposure.
Cases
Related Happenings
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
H score75
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
H score71
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
Timeline
-
29.10.2025 09:44 3 articles · 8mo ago
VulnCheck reports active exploitation of XWiki CVE-2025-24893
Technical Analysis UpdateVulnCheck said attackers are actively exploiting XWiki CVE-2025-24893, an eval injection flaw that can allow arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. The observed abuse targeted XWiki canaries from an attacker geolocated in Vietnam and used a two-stage workflow: wget retrieved the downloader "x640" from "193.32.208[.]24:8080" and wrote it to "/tmp/11909", then follow-on payloads "x521" and "x522" fetched a cryptocurrency miner, killed competing miners such as XMRig and Kinsing, and launched the miner with a c3pool.org configuration.
Show sources
- Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack — thehackernews.com — 29.10.2025 09:44
- RondoDox botnet malware now hacks servers using XWiki flaw — www.bleepingcomputer.com — 18.11.2025 00:41
- XWiki Vulnerability Exploited in Cryptocurrency Mining Operation — www.securityweek.com — 29.10.2025 12:53