Ethical Hacking News
The RondoDox botnet is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform, with multiple threat actors using it to hack servers. The vulnerability has been marked as actively exploited by CISA, and immediate patching is strongly advised for administrators to ensure the security of their servers.
The RondoDox botnet is leveraging a critical RCE flaw (CVE-2025-24893) in XWiki Platform to compromise servers. Immediate patching is strongly advised for administrators to ensure server security. The vulnerability impacts versions before 15.10.11 and 16.4.1 of the XWiki Platform. The RondoDox botnet has been linked to at least 30 devices via 56 known vulnerabilities. Exploitation activity for CVE-2025-24893 has been documented by VulnCheck with publicly available IoCs.
In a recent development that highlights the ongoing threats posed by malicious cyber actors, researchers at VulnCheck have discovered that the RondoDox botnet is now leveraging a critical remote code execution (RCE) flaw in the XWiki Platform to compromise servers. This exploit has been tracked as CVE-2025-24893 and has been marked as actively exploited by the U.S. Cybersecurity and Information Security Agency (CISA). The malicious actors, including RondoDox botnet operators, have been using a specially crafted HTTP GET request that injects base64-encoded Groovy code through the XWiki SolrSearch endpoint to download and execute a remote shell payload.
According to VulnCheck, this particular vulnerability impacts versions before 15.10.11 and 16.4.1 of the XWiki Platform. Given its active exploitation status, immediate patching is strongly advised for administrators to ensure the security of their servers. The fact that multiple attackers began exploiting this vulnerability just days after its initial discovery emphasizes the urgency of addressing such flaws in a timely manner.
The RondoDox botnet has been documented as an emerging threat since its emergence earlier this year. In early October, Trend Micro warned about the exponential growth of this malware, with recent variants targeting at least 30 devices via 56 known vulnerabilities, some of them disclosed at Pwn2Own hacking competitions. The most recent variant exploits CVE-2025-24893 to gain unauthorized access to servers.
In addition to its impact on XWiki Platform versions, VulnCheck has observed additional attacks involving cryptocurrency miner deployments and attempts to establish a bash reverse shell on the November 7. They have also recorded widespread scanning using Nuclei, sending payloads that attempt to execute cat /etc/passwd via Groovy injection in the XWiki SolrSearch endpoint, as well as OAST-based probing.
The exploitation activity for CVE-2025-24893 has been documented by VulnCheck, with publicly available indicators of compromise (IoCs) associated with RondoDox. This means that using tools and techniques to block these IoCs can help protect against future attacks from this malicious actor.
In light of the ongoing threat posed by malware like RondoDox, it is clear that administrators must prioritize securing their servers through patching vulnerabilities promptly and employing robust security measures to prevent unauthorized access. The incident serves as a reminder of the importance of staying vigilant in addressing emerging threats and the need for continuous updates and patches to mitigate risks.
Related Information:
https://www.ethicalhackingnews.com/articles/RondoDox-Botnet-Exploits-Critical-XWiki-Flaw-for-Remote-Code-Execution-ehn.shtml
Published: Mon Nov 17 16:51:16 2025 by llama3.2 3B Q4_K_M
