Cybersecurity researchers identified a critical **Remote Code Execution (RCE) vulnerability (CVE-2025-24893)** in **XWiki**, actively exploited by multiple threat actors, including botnets (e.g., **RondoDox**), cryptocurrency miners, and advanced attackers deploying reverse shells. The vulnerability, first exploited on **October 28, 2025**, escalated rapidly, with **CISA adding it to the KEV catalog** just two days later. Attackers leveraged the flaw to compromise servers globally, deploying **malware, coin miners (e.g., payload hash *03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7*), reverse shells (via AWS IPs like *18.228.3.32*), and persistence mechanisms**. Scanning operations (e.g., via **Nuclei templates**) targeted vulnerable installations, attempting to exfiltrate sensitive data (e.g., */etc/passwd*). The attack chain involved **compromised infrastructure (e.g., QNAP/DrayTek devices via CVE-2023-47218)**, indicating layered exploitation. The **speed of weaponization**—from isolated exploits to **widespread botnet integration (RondoDox by November 3)**—left defenders with minimal time to patch, risking **large-scale server takeovers, data breaches, and operational disruption** for organizations relying on XWiki for collaboration or documentation.
Source: https://cyberpress.org/botnet-by-exploiting-xwixi/
XWiki cybersecurity rating report: https://www.rankiteo.com/company/xwiki
"id": "XWI0133201111725",
"linkid": "xwiki",
"type": "Vulnerability",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Unknown (all unpatched XWiki '
'instances)',
'industry': 'Collaboration Platforms',
'location': 'Global',
'name': 'XWiki Project',
'type': 'Open-Source Software'},
{'industry': 'Multiple',
'location': 'Global',
'name': 'Organizations using XWiki',
'type': ['Corporations',
'Government Agencies',
'Educational Institutions']}],
'attack_vector': ['Remote Code Execution (RCE)',
'Exploitation of CVE-2025-24893 in XWiki'],
'customer_advisories': ['XWiki project patch notifications'],
'data_breach': {'file_types_exposed': ['/etc/passwd (attempted access)']},
'date_detected': '2025-10-28',
'date_publicly_disclosed': '2025-10-28',
'description': 'Cybersecurity researchers have detected a dramatic surge in '
'exploitation attempts targeting a critical XWiki '
'vulnerability (CVE-2025-24893), with multiple threat actors '
'actively deploying botnets (e.g., RondoDox), cryptocurrency '
'miners, reverse shells, and custom malware to compromise '
'vulnerable servers worldwide. The vulnerability evolved from '
'isolated attacks to widespread exploitation within days, '
'leaving defenders with minimal time to patch systems. '
'Exploitation includes botnet integration, coin mining '
'campaigns, reverse shell establishment, and automated '
'scanning operations.',
'impact': {'brand_reputation_impact': ['Potential reputational damage for '
'XWiki and affected organizations'],
'operational_impact': ['Potential server compromises',
'Unauthorized resource usage (CPU/memory '
'for mining)',
'Backdoor persistence'],
'systems_affected': 'Global XWiki servers (exact count unknown)'},
'initial_access_broker': {'backdoors_established': ['Reverse shells (e.g., '
'via BusyBox netcat)',
'Persistence mechanisms '
'from cryptomining '
'payloads'],
'entry_point': 'CVE-2025-24893 (XWiki RCE)',
'high_value_targets': ['XWiki servers with internet '
'exposure',
'Systems with weak '
'credential hygiene'],
'reconnaissance_period': 'October 28, 2025 – '
'November 2025 (ongoing)'},
'investigation_status': 'Ongoing (active exploitation as of November 2025)',
'lessons_learned': ['Rapid weaponization of vulnerabilities (days between '
'disclosure and widespread exploitation)',
'Importance of early detection systems (e.g., VulnCheck '
'Canary Intelligence)',
'Need for accelerated patching timelines for critical '
'vulnerabilities',
'Threat actors leverage compromised infrastructure (e.g., '
'QNAP/DrayTek devices) for follow-on attacks',
'Diverse motivations (botnets, cryptojacking, '
'reconnaissance) require multi-layered defenses'],
'motivation': ['Financial Gain (Cryptojacking)',
'Botnet Expansion',
'Persistence/Access Brokerage',
'Reconnaissance',
'Potential Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Accelerate vulnerability '
'disclosure-to-patch '
'timelines',
'Improve threat '
'intelligence sharing for '
'emerging exploits',
'Enhance detection '
'capabilities for '
'post-exploitation activity '
'(e.g., reverse shells)',
'Hardening of '
'internet-exposed systems '
'to prevent lateral '
'movement'],
'root_causes': ['Delayed patching of critical '
'vulnerability',
'Lack of early detection for '
'exploitation attempts',
'Exposed management interfaces '
'(e.g., QNAP/DrayTek) used as '
'launchpads',
'Automated scanning tools (e.g., '
'Nuclei) lowering the barrier for '
'attackers']},
'recommendations': ['Immediate patching of XWiki instances to CVE-2025-24893',
'Monitor for indicators of compromise (IOCs) such as '
'RondoDox User-Agent patterns and known malicious IPs',
'Deploy network segmentation to limit lateral movement',
'Enhance logging for XWiki servers to detect exploitation '
'attempts (e.g., /etc/passwd access)',
'Block known malicious IPs at perimeter firewalls',
'Conduct threat hunting for reverse shells and '
'cryptominers',
'Review AWS and other cloud environments for unauthorized '
'netcat/BusyBox usage',
'Educate teams on the rapid evolution of exploitation '
'(from single actors to botnets within a week)'],
'references': [{'source': 'VulnCheck Research Report'},
{'source': 'CISA Known Exploited Vulnerabilities Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'Security Telemetry Data (RondoDox, Cryptomining, '
'Reverse Shells)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV catalog '
'inclusion '
'(2025-10-30)']},
'response': {'communication_strategy': ['Security researcher reports',
'CISA KEV listing'],
'containment_measures': ['CISA KEV catalog addition (2025-10-30)',
'Public advisories'],
'enhanced_monitoring': ['Recommended for XWiki servers (e.g., '
'detecting /etc/passwd access attempts)'],
'remediation_measures': ['Urgent patching of XWiki instances'],
'third_party_assistance': ['VulnCheck (early detection via '
'Canary Intelligence)']},
'stakeholder_advisories': ['CISA KEV advisory',
'Security researcher warnings'],
'threat_actor': [{'indicators': {'first_observed': '2025-11-03',
'ip_addresses': ['74.194.191.52'],
'user_agent': 'rondo..sh'},
'name': 'RondoDox Botnet',
'type': 'Botnet Operator'},
{'indicators': {'domains': ['ospwrf10ny.anondns[.]net'],
'ip_addresses': ['172.245.241.123',
'47.236.194.231'],
'payload_hash': '03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7'},
'name': 'Unknown Cryptocurrency Mining Group 1',
'type': 'Cryptojacking Operator'},
{'indicators': {'ip_addresses': ['156.146.56.131']},
'name': 'Unknown Cryptocurrency Mining Group 2',
'type': 'Cryptojacking Operator'},
{'indicators': {'ip_addresses': ['18.228.3.224'],
'tactics': ['AWS-hosted reverse shell via '
'BusyBox netcat']},
'name': 'Unknown Reverse Shell Actor 1',
'type': 'Sophisticated Threat Actor'},
{'indicators': {'compromised_infrastructure': ['QNAP',
'DrayTek '
'(vulnerable '
'to '
'CVE-2023-47218)'],
'ip_addresses': ['118.99.141.178']},
'name': 'Unknown Reverse Shell Actor 2',
'type': 'Opportunistic Threat Actor'},
{'indicators': {'commands': ['cat /etc/passwd',
'id',
'whoami'],
'ip_addresses': ['18.228.3.224'],
'services': ['Nuclei scanner',
'oast.fun OAST probes']},
'name': 'Automated Scanning Operators',
'type': 'Reconnaissance'},
{'indicators': {'ip_addresses': ['185.142.33.151',
'90.156.218.31',
'172.206.196.45']},
'name': 'Unknown Payload Hosting Group',
'type': 'Infrastructure Operator'}],
'title': 'Widespread Exploitation of Critical XWiki Vulnerability '
'(CVE-2025-24893)',
'type': ['Vulnerability Exploitation',
'Botnet Integration',
'Cryptojacking',
'Reverse Shell Attacks',
'Automated Scanning'],
'vulnerability_exploited': 'CVE-2025-24893 (Critical RCE in XWiki)'}