Ethical Hacking News
RondoDox Botnet Exploits Unpatched XWiki Vulnerability to Pull More Devices into Its Botnet
A sophisticated botnet has been exploiting a critical security flaw in unpatched XWiki instances, highlighting the ongoing threat of unpatched vulnerabilities. This article delves into the details of this attack and provides insights on how organizations can protect themselves against such threats.
RondoDox botnet has been exploiting a critical security flaw (CVE-2025-24893) in unpatched XWiki instances, allowing attackers to achieve arbitrary remote code execution. The vulnerability was patched by XWiki maintainers in late February 2025, but was exploited in the wild since March. There has been a surge in RondoDox-related activity, with new highs in exploitation attempts in November 2025. RondoDox is using this vulnerability to conduct DDoS attacks and deploy cryptocurrency miners. The exploit highlights the need for robust patch management practices to prevent such vulnerabilities.
In a concerning development that highlights the ongoing threat of unpatched vulnerabilities, RondoDox, a sophisticated botnet, has been found exploiting a critical security flaw in unpatched XWiki instances. The vulnerability, identified as CVE-2025-24893 (CVSS score: 9.8), is an eval injection bug that could allow attackers to achieve arbitrary remote code execution through a request to the "/bin/get/Main/SolrSearch" endpoint. This critical security shortcoming had been patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
However, despite this patch, there was evidence that the vulnerability had been exploited in the wild since at least March, with malicious actors likely benefiting from the initial exploitation by RondoDox's adversaries to gain a foothold into susceptible systems. It wasn't until late October, when VulnCheck disclosed it had observed fresh attempts weaponizing the flaw as part of a two-stage attack chain to deploy a cryptocurrency miner.
In recent weeks, there has been a surge in RondoDox-related activity. According to VulnCheck's latest report published on November 15, 2025, the company observed a spike in exploitation attempts hitting a new high on November 7, followed by another surge on November 11. This indicates broader scanning activity likely driven by multiple threat actors participating in the effort.
RondoDox, a known botnet that's rapidly adding new exploitation vectors to rope susceptible devices into its botnet for conducting distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols, appears to be involved in this recent surge. The first RondoDox exploit was observed on November 3, 2025, per the cybersecurity company.
Other attackers have also been observed exploiting the CVE-2025-24893 vulnerability to deliver cryptocurrency miners, as well as attempts to establish a reverse shell and general probing activity using a Nuclei template for CVE-2025-24893. These findings further underscore the need for robust patch management practices in order to ensure optimal protection against such vulnerabilities.
"CVE-2025-24893 is a familiar story: one attacker moves first, and many follow," VulnCheck's Jacob Baines said. "Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability." This statement highlights the need for organizations to stay vigilant in monitoring their systems for vulnerabilities and addressing them promptly.
As RondoDox continues to exploit this vulnerability, it is essential that individuals and organizations take proactive measures to ensure they are protected. By applying the necessary mitigations and keeping their systems patched, these entities can minimize the risk of falling prey to such attacks.
In conclusion, the recent surge in RondoDox-related activity underscores the ongoing threat posed by unpatched vulnerabilities. As organizations continue to navigate this complex landscape, it is crucial that they prioritize robust patch management practices and remain vigilant in monitoring their systems for potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/RondoDox-Botnet-Exploits-Unpatched-XWiki-Vulnerability-to-Pull-More-Devices-into-Its-Botnet-ehn.shtml
https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html
https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
https://gbhackers.com/rondodox-botnet-2/
Published: Sat Nov 15 10:52:10 2025 by llama3.2 3B Q4_K_M
