The RondoDox botnet malware is actively exploiting unpatched XWiki servers via the critical vulnerability CVE-2025-24893 (CVSS 9.8), allowing arbitrary remote code execution.
π CVE-2025-24893
Evaluation injection bug that allows any guest user to execute remote code via the /bin/get/Main/SolrSearch endpoint.
Affected versions: All before XWiki 15.10.11, 16.4.1 or 16.5.0RC1
Patch available from: February 2025
π€ RondoDox: Expanding Botnet
RondoDox incorporates vulnerable devices to:
- DDoS attacks (HTTP, UDP, TCP)
- Cryptocurrency mining
- Persistent access (reverse shells, backdoors)
Chronology: March 2025 (first evidence) β Nov 3 (first RondoDox exploitation) β Nov 7 (maximum peak) β Nov 11 (new wave)
π‘ Urgent Mitigation
CISA added this vulnerability to its KEV catalog, requiring mitigations by November 20, 2025.
Immediate Actions
- Update XWiki to patched version (15.10.11+, 16.4.1+ or 16.5.0RC1+)
- Restrict access to the /bin/get/Main/SolrSearch endpoint if you cannot update
- Monitor logs to detect exploitation attempts
- Review unusual outgoing processes and connections
Best Practices
- β Robust patch management
- β Continuous threat monitoring
- β Principle of least privilege
- β Network segmentation
π¬ Commitment Indicators
- Suspicious requests to /bin/get/Main/SolrSearch
- High CPU/memory consumption
- Unknown processes
- Unusual network traffic (UDP/TCP outgoing)
π References
Conclusion: The active exploitation of CVE-2025-24893 underscores the critical importance of maintaining up-to-date systems. Organizations using XWiki should prioritize updating immediately.