A significant rise in attacks aimed at XWiki servers’ critical vulnerability has become a serious concern. CVE-2025-24893 is being actively exploited by several threat actors to set up botnets, coin miners, and unauthorized server access across the internet.
Exploitation has increased significantly since the first finding on October 28, 2025. According to VulnCheck, the vulnerability is currently being actively targeted by numerous independent attackers.
ranging from professional actors utilizing specialized scanners and custom tools to automated botnets. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its Known Exploited Vulnerabilities list on October 30, 2025, just two days after the initial discovery.
Since then, scanning and attack attempts on canary security systems have significantly increased. The attacker group is diverse and comprises a wide range of hackers. The RondoDox botnet started adding this vulnerability to its attack toolkit on November 3, 2025, which resulted in a dramatic rise in exploitation attempts.
These attacks can be recognized by their unique payload naming conventions and HTTP User-Agent signatures. The wave of exploitation has also included cryptocurrency mining activities. It has been discovered that several currency mining campaigns are retrieving secondary payloads from hacked servers.
On susceptible XWiki installations, VulnCheck researchers saw attackers downloading hidden scripts that eventually install cryptocurrency mining software.
The reverse shell attempts, which suggest possible keyboard activity, are more worrisome. Researchers at VulnCheck found multiple efforts to create direct command-and-control links.
One attack from an IP address connected to AWS that had never been abused before suggests more focused actions than automatic scanning.
Through carefully constructed requests to the SolrSearch endpoint, the vulnerability enables attackers to run arbitrary code on XWiki servers that are open to the internet.
Attackers download and run malicious payloads, such as cryptocurrency miners and botnet recruitment scripts, by taking advantage of Groovy’s scripting capabilities.
Attacks from many IP addresses in various nations have been reported by VulnCheck analysts, with payload hosting servers regularly shifting locations.