A critical vulnerability in the popular open-source wiki platform XWiki is now under mass exploitation by multiple threat actor groups, turning unpatched servers into cryptocurrency mining rigs, botnet nodes, and reverse shell endpoints. The flaw, tracked as CVE-2025-24893 with a CVSS severity score of 9.8 out of 10, represents one of the most rapidly adopted vulnerabilities of late 2025, with exploitation expanding from a single crypto-mining operation in October to a multi-group assault by mid-November.
The Exploit Mechanics
The vulnerability exists in XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1. At its core, the flaw involves improper sanitization of user-supplied input to a search function. Remote, unauthenticated attackers can send specially crafted HTTP requests to the search endpoint, which the server processes without adequate validation, ultimately allowing arbitrary code execution on the underlying server. Because the vulnerability requires no authentication whatsoever, any internet-facing XWiki installation with an unpatched version becomes immediately vulnerable to anyone who can reach it.
Proof-of-concept code targeting the issue became publicly available in early 2025, after a CVE identifier was assigned and technical details circulated among security researchers. While reconnaissance activity was observed earlier, active exploitation in the wild began in late October 2025, when the cybersecurity firm VulnCheck first documented a threat actor using the vulnerability to deploy cryptocurrency miners on compromised servers. The United States Cybersecurity and Infrastructure Security Agency, CISA, added the vulnerability to its Known Exploited Vulnerabilities catalog within days of that initial discovery.
Affected Systems
By November 17, VulnCheck reported that exploitation had expanded dramatically across multiple threat groups. The RondoDox botnet integrated an exploit for CVE-2025-24893 into its toolset starting November 3, using it to grow its distributed attack infrastructure. A second cryptocurrency mining operation began leveraging the flaw on November 7, while the original mining group expanded by deploying two new payload hosting servers and a dedicated exploit server. Beyond automated botnet and mining activity, VulnCheck also observed sophisticated threat actors attempting to establish persistent access. One attack originating from an IP address associated with Amazon Web Services attempted to create a reverse shell using the BusyBox netcat binary, suggesting a targeted intrusion rather than opportunistic scanning. Another attacker operating from a compromised host exposing both QNAP and DrayTek interfaces attempted to deploy a bash reverse shell on vulnerable XWiki servers.
XWiki is widely deployed across enterprise environments, educational institutions, and development teams as a collaborative knowledge management platform. Any organization running an unpatched version that has not been updated since June 2024 remains at immediate risk. The rapid proliferation of exploitation tools, from Nuclei scanning templates to custom botnet modules, means that vulnerable systems are being identified and compromised within hours of being discovered.
The Mitigation Strategy
The primary mitigation is straightforward: update XWiki to version 15.10.11, 16.4.1, or later immediately. Organizations that cannot update right away should restrict access to the XWiki search endpoint at the network level, limiting exposure to trusted IP ranges only. Additionally, security teams should review server logs for indicators of compromise, including unexpected outbound connections, unfamiliar processes, and any web shells or reverse shell artifacts. Network monitoring for unusual cryptocurrency mining traffic patterns, such as sustained connections to mining pools, can help identify already-compromised systems.
The broader lesson from CVE-2025-24893 extends beyond XWiki itself. The vulnerability was patched in June 2024, yet the gap between patch availability and widespread exploitation stretched to nearly five months. During that window, public proof-of-concept code, scanning tools, and ultimately botnet integrations were developed and deployed. Organizations that delay patching, even for months after fixes become available, face increasing risk as exploitation tools proliferate and threat actor interest grows.
Lessons Learned
The XWiki incident illustrates several recurring themes in the 2025 threat landscape. First, the time between public disclosure of a vulnerability and its mass exploitation continues to shrink. Botnet operators and crypto-mining groups are now adopting new vulnerabilities within days of initial exploitation being observed. Second, the shift toward exploiting enterprise collaboration and knowledge management tools, rather than just traditional server software, broadens the attack surface for organizations of all sizes. Third, the multi-actor exploitation pattern, where a single vulnerability is simultaneously targeted by botnets, miners, and targeted intrusion operators, means that even detecting one type of attack does not guarantee the server is secure against others.
User Action Required
If your organization runs XWiki, verify the version immediately. If it is older than 15.10.11 or 16.4.1, apply the update without delay. Review access logs for the search endpoint, check for unexpected processes or network connections, and consider deploying web application firewall rules to block suspicious requests to the search function until the update is applied. In the broader context of cryptocurrency markets, where Bitcoin trades near $92,000 and mining remains profitable, cryptojacking campaigns targeting server infrastructure will continue to be a persistent threat for the foreseeable future.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
RondoDox botnet adding XWiki exploit to its toolkit means this will be automated at scale. the window between CVE disclosure and mass exploitation keeps shrinking
Man, these botnets are getting aggressive. Imagine putting all that computing power toward something useful instead of just hijacking XWiki servers for stealth mining. It really highlights the dark side of the mining industry when the barrier to entry is just one unpatched vulnerability. Definitely checking my own nodes tonight!
HODL_Warrior_88 RCE with 9.8 CVSS and no auth required. the barrier to entry is literally sending an HTTP request. expect more of this as mining profitability stays strong
rce_plague 9.8 CVSS with no auth required and people still run unpatched XWiki servers. the barrier to exploitation is sending a crafted HTTP request. patch your stuff
cvss_watch_ 9.8 CVSS with no auth required and people still run unpatched XWiki on the open internet. some organizations deserve to get cryptojacked
The scale of this XWiki exploitation is significant because it targets collaborative platforms that often hold sensitive data. When miners use RCEs to build botnets, they aren’t just stealing electricity; they’re compromising the integrity of the host systems. This trend of “crypto-jacking” continues to be a major headwind for legitimate mining operations and network reputation.
Dr. Crypto_Analyst calling cryptojacking a headwind for legitimate mining is generous. its straight up theft of compute resources. unpatched XWiki servers are free money for botnets
patch_now_ cryptojacking is theft of compute plain and simple. but the real danger is when botnets pivot from mining to data exfiltration on those same compromised servers
CVSS 9.8 with no authentication required and proof-of-concept code publicly available. this is as bad as it gets for enterprise software
patch_tuesday the jump from single crypto-mining group in October to multi-group assault by November shows how fast exploit sharing happens in 2025
CVSS 9.8 and unauthenticated. if youre running xwiki on the public internet and havent patched, you basically put a free crypto miner sign on your front door
one week from patch to mass exploitation. same pattern as log4j, same pattern as every critical CVE. nobody learns