Exploitation of an XWiki bug has intensified as VulnCheck reported that a diverse set of threat actors are actively targeting the flaw.
In a Nov. 14 blog post, VulnCheck said its researchers observed everything from botnets and coin-miners to custom tooling and bespoke scanners.
XWiki servers support XWiki software, an open-source, Java-based wiki platform designed to create, organize, and share knowledge and collaborative applications within an organization.
VulnCheck first published information about the 9.8 CVE-2025-24893 XWiki flaw on Oct. 28 and the Cybersecurity and Infrastructure Secuirty Agency (CISA) published the flaw on its Known Exploited Vulnerabilities (KEV) catalog on Oct. 30. The vulnerability, CVE-2025-24893, could let attackers perform remote code execution to facilitate cryptomining operations.
“Exploitable vulnerabilities are emerging faster than organizations can respond,” said Louis Eichenbaum, Federal CTO at ColorTokens. “CISA does an exceptional job identifying KEVs and adding them to the KEV catalog, but even they struggle to keep pace with the sheer volume.”
Eichenbaum also pointed out that once a KEV advisory is published, agencies still face the long tail of patching. It often takes days, weeks, or months to patch for complex environments, and Eichenbaum said in some cases, teams can’t patch legacy systems without breaking critical mission functions.
Jason Soroko, senior fellow at Sectigo, added that the XWiki eval injection has enabled “hands-off” cryptominer deployment in the wild and has reportedly been used since March 2025.
“This means that opportunistic scans will hit any exposed instance,” said Soroko. “Treat all three as high risk to internet facing systems and to any environment where these apps sit in reach of sensitive data or build systems.”
Soroko offered the following advice to security teams:
- Lock down XWiki by upgrading to a fixed release and turning off anonymous access where not needed and by restricting the SolrSearch endpoint to authenticated users.
- Hunt for post-exploitation by reviewing for new or modified admin users unexpected files in web directories and recent service or scheduled task creation on the app hosts.
- Hunt for XWiki abuse by flagging requests to the SolrSearch path with suspicious parameters spikes in Java CPU usage outbound connections to mining pools and unusual Java child processes like curl or wget.
- Reduce exposure by placing these apps behind SSO and MFA removing direct internet access applying WAF rules that block eval and template injection patterns and segmenting app servers from file shares and domain controllers.
- Make incident playbooks ready that include credential rotation and server rebuilds if compromise indicators appear.
You must be logged in to post a comment.