The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution.
The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the “/bin/get/Main/SolrSearch” endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
While there was evidence that the shortcoming had been exploited in the wild since at least March, it wasn’t until late October, when VulnCheck disclosed it had observed fresh attempts weaponizing the flaw as part of a two-stage attack chain to deploy a cryptocurrency miner.
Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply necessary mitigations by November 20.
In a fresh report published Friday, VulnCheck revealed that it has since observed a spike in exploitation attempts, hitting a new high on November 7, followed by another surge on November 11. This indicates broader scanning activity likely driven by multiple threat actors participating in the effort.
This includes RondoDox, a botnet that’s rapidly adding new exploitation vectors to rope susceptible devices into a botnet for conducting distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025, per the cybersecurity company.
Other attacks have been observed exploiting the flaw to deliver cryptocurrency miners, as well as attempts to establish a reverse shell and general probing activity using a Nuclei template for CVE-2025-24893.
The findings once again illustrate the need for adopting robust patch management practices to ensure optimal protection.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” VulnCheck’s Jacob Baines said. “Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.”
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
