Botnet malware known as RondoDox has been observed targeting unpatched XWiki instances for critical security flaws that could allow attackers to execute arbitrary code.
The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), which allows a guest user to execute arbitrary remote code via a request to the “/bin/get/Main/SolrSearch” endpoint due to a reputation injection bug. Patched by maintainers of XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
Although there has been evidence that this flaw has been in the wild since at least March, it wasn’t until late October that VulnCheck revealed that it had observed new attempts to weaponize this flaw as part of a two-step attack chain that deployed cryptocurrency miners.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and gave federal agencies until November 20th to apply the required mitigations.
In its latest report released Friday, VulnCheck revealed that exploitation attempts have since spiked, reaching a high on November 7th, before spiking again on November 11th. This is indicative of a broader scanning activity, likely driven by multiple threat actors participating in this effort.
This includes RondoDox, a botnet that is rapidly adding new exploitation vectors to connect susceptible devices to a botnet that uses HTTP, UDP, and TCP protocols to perform distributed denial of service (DDoS) attacks. According to the cybersecurity firm, the first RondoDox exploit was observed on November 3, 2025.
We have also observed attacks exploiting this vulnerability to deliver cryptocurrency miners, as well as other attacks attempting to establish reverse shells and general probing operations using the Nuclei template for CVE-2025-24893.
This finding reiterates the need to employ robust patch management practices to ensure optimal protection.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many others follow,” said Jacob Baines of VulnCheck. “Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all exploiting the same vulnerability.”
