Ethical Hacking News
The RondoDox botnet has expanded its reach by exploiting a critical XWiki RCE bug, leaving thousands of unpatched servers vulnerable to infection. A stark reminder of the importance of maintaining up-to-date security patches and staying vigilant against emerging threats.
The recent expansion of the RondoDox botnet has exploited a critical Remote Code Execution (RCE) bug in unpatched XWiki servers, allowing attackers to gain unauthorized access and infect additional devices. The vulnerability, CVE-2025-24893, was left unaddressed since February 2025, making it easy for attackers to exploit. Attacks exploiting this bug have surged significantly, with many unpatched XWiki servers remaining vulnerable to exploitation. Patches were released in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 to address the vulnerability, but many systems remain unpatched. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the XWiki Platform flaw to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of this issue.
The recent expansion of the RondoDox botnet by exploiting a critical Remote Code Execution (RCE) bug in unpatched XWiki servers has sent shockwaves throughout the cybersecurity community. The vulnerability, identified as CVE-2025-24893, was left unaddressed since February 2025, allowing attackers to gain unauthorized access and infect additional devices.
The RondoDox botnet is a notorious group of malware that has been linked to various malicious activities, including the spread of ransomware and the creation of cryptocurrency mining operations. The recent exploit of the XWiki RCE bug serves as a stark reminder of the importance of maintaining up-to-date software and security patches.
XWiki Platform is a generic wiki framework designed to provide runtime services for applications built on top of it. However, the SolrSearch feature in the platform contains a critical flaw that allows unauthenticated users to execute arbitrary code on the server. This vulnerability can be exploited by injecting malicious Groovy code into the RSS feed generation mechanism through a specially crafted request to the SolrSearch endpoint.
The impact of this vulnerability cannot be overstated. A successful exploit allows attackers to execute any code they desire, resulting in significant risks to the confidentiality, integrity, and availability of the entire XWiki installation. This is particularly concerning for organizations that rely heavily on XWiki for their online presence.
Fortunately, patches were released in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 to address this vulnerability. However, due to its relatively recent publication, many unpatched XWiki servers remain vulnerable to exploitation. It is imperative that users upgrade their software as soon as possible.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the XWiki Platform flaw to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of this issue. According to reports from VulnCheck, attacks exploiting CVE-2025-24893 have surged significantly since the RondoDox botnet started targeting the vulnerability on November 3, 2025.
The first recorded exploit was observed on November 3, 2025, with activity steadily increasing since then. Attackers are using various techniques to infect XWiki servers, including delivering malicious scripts via compromised servers and utilizing reverse shells to gain unauthorized access.
While some attackers appear to be using manual hacking methods, others are leveraging automated tools designed to avoid normal HTTP traffic. In one instance, an AWS IP was observed sending both reverse-shell attempts and special probes, suggesting a more targeted attack.
The use of such sophisticated techniques underscores the growing threat landscape in the world of cybersecurity. As vulnerability exploitation continues to expand quickly, it is essential for organizations to prioritize their security measures and stay vigilant against emerging threats.
In recent months, we have witnessed various high-profile examples of RCE bugs being exploited by malicious actors. The XWiki CVE-2025-24893 exploit serves as a stark reminder that even the most seemingly minor vulnerabilities can be catastrophic in nature.
The fact that attackers are already days ahead of CISA's Known Exploited Vulnerabilities catalog highlights the need for early detection and proactive security measures. As cybersecurity professionals, it is our responsibility to stay informed about emerging threats and provide guidance on how to protect ourselves against them.
In conclusion, the recent expansion of the RondoDox botnet by exploiting a critical XWiki RCE bug serves as a dire warning to organizations with unpatched wiki servers. It is imperative that users upgrade their software as soon as possible to avoid falling victim to this malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/RondoDox-Exploits-XWiki-RCE-Bug-A-Threat-to-Unpatched-Wiki-Servers-ehn.shtml
https://securityaffairs.com/184702/malware/rondodox-expands-botnet-by-exploiting-xwiki-rce-bug-left-unpatched-since-february-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2025-24893
https://www.cvedetails.com/cve/CVE-2025-24893/
Published: Mon Nov 17 02:34:56 2025 by llama3.2 3B Q4_K_M
