A critical-severity vulnerability in the popular open source enterprise wiki platform XWiki has been exploited in the wild as part of a low-end cryptocurrency mining operation, VulnCheck reports.
The issue, tracked as CVE-2025-24893 (CVSS score of 9.8), allows attackers to execute arbitrary code remotely, by sending a request to the SolrSearch macro, which uses the embedded Solr engine for full-text search.
Because the macro improperly sanitizes search parameters in Groovy, a remote, unauthenticated attacker can craft search requests and inject malicious code that will be executed with the privileges of the web server.
“The specific flaw exists within the handling of the text parameter provided to the SolrSearchMacros endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account,” a ZDI advisory reads.
Successful exploitation of the flaw allows attackers to expose sensitive information, disrupt survey operations, or execute arbitrary system commands with the privileges of the user running the web server.
The security defect was reported by Trend Micro’s John Kwak in May 2024, and was addressed in XWiki versions 15.10.11, 16.4.1 and 16.5.0RC1, in June 2024.
Technical details on the bug emerged roughly half a year later and an NVD advisory was published in February. Numerous proof-of-concept (PoC) exploits targeting it have been available since early 2025.
CrowdSec earlier this year observed the vulnerability being abused for reconnaissance, but noted a decline in activity surrounding it. Now, VulnCheck says it has identified in-the-wild attacks exploiting CVE-2025-24893 to deploy a cryptocurrency miner.
“We observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam. The exploitation proceeds in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader (writes a file to disk), and the second pass later executes it,” VulnCheck notes.
The attacks, VulnCheck says, appear to be part of a low-end crypto mining operation, and the observed traffic originates from an IP address that has been associated with other malicious activity as well.
Related: CISA Warns of Exploited DELMIA Factory Software Vulnerabilities
Related: QNAP NetBak PC Agent Affected by Recent ASP.NET Core Vulnerability
Related: Critical Windows Server WSUS Vulnerability Exploited in the Wild
Related: CISA Warns of Exploited Apple, Kentico, Microsoft Vulnerabilities
