Botnet malware RondoDox is actively exploiting a critical vulnerability, CVE-2025-24893, in unpatched XWiki servers, enabling attackers to execute arbitrary code. This critical security flaw, with a CVSS score of 9.8, allows unauthenticated users to remotely execute malicious code by targeting the “/bin/get/Main/SolrSearch” endpoint. While patched by XWiki maintainers in late February 2025, widespread exploitation has been observed, highlighting the ongoing threat from unmitigated XWiki server vulnerabilities.
The vulnerability, officially designated CVE-2025-24893, was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1. However, evidence indicates that the flaw was being exploited in the wild as early as March 2025. This timeline was extended into late October and November, with researchers observing fresh attack attempts that weaponize the vulnerability in a multi-stage process. These attacks are primarily aimed at deploying cryptocurrency miners on compromised systems.
RondoDox Botnet Leverages XWiki Vulnerability
The growing exploitation of XWiki server vulnerabilities, specifically CVE-2025-24893, has drawn the attention of cybersecurity authorities. Following disclosure by VulnCheck, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This mandates that federal agencies implement necessary mitigations by November 20, 2025. The urgency reflects the widespread and impactful nature of the ongoing attacks.
Recent reports indicate a significant surge in exploitation attempts targeting CVE-2025-24893. VulnCheck observed a notable increase in scanning activity on November 7, 2025, with another surge occurring on November 11. This pattern suggests that multiple threat actors are actively participating in exploiting this flaw, likely due to its accessibility and the potential for significant payoff.
Among the observed threat actors is the RondoDox botnet. This botnet is rapidly expanding its arsenal of exploitation vectors to incorporate susceptible devices. This includes leveraging the CVE-2025-24893 vulnerability to gain access to XWiki servers. Once compromised, these servers are then utilized to participate in distributed denial-of-service (DDoS) attacks, employing protocols such as HTTP, UDP, and TCP. The first observed RondoDox exploit targeting this XWiki vulnerability occurred on November 3, 2025.
Broader Exploitation and Implications
Beyond the RondoDox botnet, other threat actors are also exploiting the CVE-2025-24893 flaw. These attacks aim to deploy cryptocurrency miners, establish reverse shells for persistent access, and conduct general reconnaissance. Researchers at VulnCheck noted that opportunistic scanners are also utilizing a Nuclei template specifically designed for this vulnerability, further broadening the attack surface.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” stated Jacob Baines of VulnCheck. “Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.” This rapid adoption by diverse threat groups underscores the critical need for timely patching and robust patch management practices.
The proliferation of attacks exploiting this XWiki security flaw serves as a stark reminder of the importance of proactive cybersecurity measures. Organizations relying on XWiki instances must prioritize applying the available patches to protect their systems from unauthorized access and malicious activity. Failure to do so leaves them vulnerable to financially motivated attacks, such as cryptocurrency mining, and disruptive actions like DDoS attacks.
Looking ahead, the cybersecurity community will be closely monitoring the ongoing exploitation of CVE-2025-24893. While CISA has set a deadline of November 20 for federal agencies, many other organizations may still be at risk. The continued prevalence of botnets like RondoDox indicates that attackers will likely continue to weaponize known, unpatched vulnerabilities as long as profitable opportunities exist. The effectiveness of current mitigations and the speed at which organizations adopt them will determine the extent of future damage.