Multiple threat actors are actively exploiting CVE-2025-24893, a critical XWiki vulnerability discovered October 28, 2025, to deploy botnets and cryptocurrency miners on servers worldwide. CISA added it to their Known Exploited Vulnerabilities catalog just two days later on October 30.
The RondoDox botnet incorporated the flaw by November 3, causing a sharp spike in attacks. Hackers are using the vulnerability to execute malicious code through XWiki's SolrSearch endpoint, with attacks ranging from automated scanning to sophisticated reverse shell attempts from AWS IP addresses.
Organizations should immediately patch XWiki installations, monitor for unusual SolrSearch requests, and implement network segmentation to reduce exposure.
Source: Cyber Security News