A recently detected wave of malicious activity linked to the botnet malware RondoDox is actively exploiting a critical remote code execution (RCE) vulnerability in XWiki’s open-source enterprise wiki platform. The flaw, tracked as CVE-2025-24893, presents a severe threat to unpatched environments, with a Common Vulnerability Scoring System (CVSS) base score of 9.8, underscoring its critical risk potential.
Eval Injection Bug Offers Remote Code Execution Power
The vulnerability resides in XWiki’s implementation of its document rendering mechanism. Specifically, the flaw is an eval injection bug that enables arbitrary code execution via crafted HTTP GET requests to the `/bin/get/Main/` endpoint. This attack vector notably does not require authentication, allowing even guest-level users to execute malicious code remotely.
Understanding CVE-2025-24893’s Technical Impact
The exploit path made possible by CVE-2025-24893 leverages the dynamic rendering logic in XWiki’s velocity-based templating engine. It permits user-controlled input to be interpreted and evaluated as executable code.
- Attackers can manipulate the request path to trigger unintended evaluation logic.
- The vulnerability allows shell-level command execution under the privileges of the XWiki server process.
- An attacker can drop malware, establish persistence, or pivot deeper into infrastructure using the compromised instance as an entry point.
Security researchers have confirmed that RondoDox incorporates this flaw into its infection chain to automate the takeover of exposed, unpatched XWiki instances.
RondoDox Botnet Uses CVE-2025-24893 for Infrastructure Expansion
RondoDox is an evolving botnet malware family known for commandeering misconfigured and vulnerable web servers. Analysts report that RondoDox now scans the internet specifically for XWiki installations vulnerable to CVE-2025-24893.
Botnet’s Payload Delivery and Operations Tactics
After exploiting the flaw, RondoDox operators initiate a series of commands intended to loot credentials, establish backdoors, and link the system into their broader botnet infrastructure. Key tactics include:
- Dropping persistence scripts that re-infect the system even after a reboot.
- Downloading secondary payloads from command-and-control (C2) servers operated by the botnet.
- Using compromised resources to conduct further lateral movement and reconnaissance.
For attackers, unpatched content collaboration platforms like XWiki represent a strategic asset for both data exfiltration and infrastructure abuse.
Risk Mitigation Requires Immediate Patching
The severity of CVE-2025-24893, combined with the ease of exploitation and automated scanning behavior by RondoDox, places urgent pressure on administrators to secure affected systems.
Remediation Steps for XWiki Users
Security professionals managing XWiki instances should take the following actions immediately:
- Upgrade to a firmware version containing the official patch for CVE-2025-24893.
- Implement access controls to the `/bin/get/` path to prevent unauthenticated use.
- Monitor for abnormal HTTP requests or shell commands originating from the application.
- Scan historical logs for possible indicators of compromise linked to known RondoDox signatures.
Administrators should also consider revoking and rotating credentials stored or generated by the XWiki instance, as attacker presence may have enabled theft of sensitive tokens or keys.
Implications for Open-Source Platforms
The attack highlights recurring risks in open-source web applications that support dynamic content rendering and scripting. XWiki’s templating power is a useful feature in enterprise collaboration but can become a potent weapon when paired with minimal input validation. Following the discovery of CVE-2025-24893, platform maintainers and users alike must prioritize secure coding and robust configuration defaults.
Security teams should also monitor threat intelligence feeds for malware campaigns incorporating XWiki or similar content management system (CMS) exploits.
As threat actors like those behind RondoDox continue to deploy automation and zero-auth attacks to scale their operations, this incident underscores the importance of routine patch management and vigilant monitoring — especially for widely-used, publicly accessible platforms such as XWiki.
