Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

RondoDox botnet exploitation of XWiki CVE-2025-24893

Malware Activity
First reported
Last updated
Happening score
H score 47
2 unique sources, 2 articles

Summary

Hide ▲

The RondoDox botnet has begun targeting unpatched XWiki instances through CVE-2025-24893, expanding its reach and putting vulnerable servers at risk of botnet recruitment and follow-on payload delivery. The flaw can enable arbitrary code execution through the `/bin/get/Main/SolrSearch` endpoint. Activity was observed in November 2025 after exploitation had already been seen in the wild since at least March.

Related Happenings

Everest Forms Pro CVE-2026-3300 active exploitation wave

Exploitation Wave
H score87 First: 05.06.2026 11:38 Last: 05.06.2026 11:38 Sources 1

About this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...

Open Happening

Magento exploitation wave for CVE-2026-45247

Exploitation Wave
H score9 First: 04.06.2026 10:19 Last: 04.06.2026 10:19 Sources 1

About this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...

Open Happening

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
H score44 First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign

Campaign
H score56 First: 22.04.2026 23:04 Last: 22.04.2026 23:04 Sources 1

About this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...

Open Happening

TBK DVR command injection flaw actively exploited (CVE-2024-3721)

Vulnerability
H score20 First: 20.04.2026 16:01 Last: 20.04.2026 16:01 Sources 1

About this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...

Open Happening

Timeline

  1. 15.11.2025 18:35 2 articles · 6mo ago

    RondoDox first exploit of XWiki CVE-2025-24893

    Exploitation Observed

    RondoDox botnet malware was first observed targeting unpatched XWiki instances through CVE-2025-24893 on November 3, 2025, using the /bin/get/Main/SolrSearch endpoint to pursue arbitrary code execution against exposed servers.

    Show sources
    Open in new tab
  2. 15.11.2025 18:35 2 articles · 6mo ago

    Broader CVE-2025-24893 exploitation pressure on XWiki

    Campaign Scope Update

    VulnCheck described a broader wave of CVE-2025-24893 exploitation against XWiki, with attempts hitting a new high on November 7 and another surge on November 11, alongside RondoDox botnet activity, cryptocurrency miner delivery, reverse-shell attempts, and Nuclei-based probing. The flaw is an eval-injection bug that can enable arbitrary remote code execution through /bin/get/Main/SolrSearch, XWiki patched it in 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025, and CISA added it to the KEV catalog with a November 20 mitigation deadline for federal agencies.

    Show sources
    Open in new tab