Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RondoDox botnet exploitation of XWiki CVE-2025-24893

Malware Activity
First reported
Last updated
Happening score
H score 47
2 unique sources, 2 articles

Summary

Hide ▲

The RondoDox botnet has begun targeting unpatched XWiki instances through CVE-2025-24893, expanding its reach and putting vulnerable servers at risk of botnet recruitment and follow-on payload delivery. The flaw can enable arbitrary code execution through the `/bin/get/Main/SolrSearch` endpoint. Activity was observed in November 2025 after exploitation had already been seen in the wild since at least March.

Related Happenings

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

TBK DVR command injection flaw actively exploited (CVE-2024-3721)

Vulnerability
First: 20.04.2026 16:01 Last: 20.04.2026 16:01 Sources 1

About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...

Open Happening

WolfSSL forged certificate validation flaw (CVE-2026-5194)

Vulnerability
First: 13.04.2026 22:56 Last: 13.04.2026 22:56 Sources 1

About this happening: **CVE-2026-5194** is a **wolfSSL** certificate-verification flaw that could let an attacker **forge certificates** and impersonate a legitimate service. Anthropic said **Project G...

Open Happening

React2Shell (CVE-2025-55182) mass scanning and exploitation wave

Exploitation Wave
First: 20.02.2026 23:07 Last: 20.02.2026 23:07 Sources 1

About this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...

Open Happening

Timeline

  1. 15.11.2025 18:35 2 articles · 6mo ago

    RondoDox first exploit of XWiki CVE-2025-24893

    Exploitation Observed

    RondoDox botnet malware was first observed targeting unpatched XWiki instances through CVE-2025-24893 on November 3, 2025, using the /bin/get/Main/SolrSearch endpoint to pursue arbitrary code execution against exposed servers.

    Show sources
    Open in new tab
  2. 15.11.2025 18:35 2 articles · 6mo ago

    Broader CVE-2025-24893 exploitation pressure on XWiki

    Campaign Scope Update

    VulnCheck described a broader wave of CVE-2025-24893 exploitation against XWiki, with attempts hitting a new high on November 7 and another surge on November 11, alongside RondoDox botnet activity, cryptocurrency miner delivery, reverse-shell attempts, and Nuclei-based probing. The flaw is an eval-injection bug that can enable arbitrary remote code execution through /bin/get/Main/SolrSearch, XWiki patched it in 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025, and CISA added it to the KEV catalog with a November 20 mitigation deadline for federal agencies.

    Show sources
    Open in new tab