The CVE-2025-24893 vulnerability in XWiki Platform’s SolrSearch component allows unauthenticated guest users to execute arbitrary remote code via eval injection (CWE-95), bypassing all security controls. Exploiting this flaw grants attackers full command execution privileges equivalent to the web server process, enabling data exfiltration, malware deployment, lateral movement, and persistent network compromise. Organizations using XWiki for collaboration or public-facing wikis are at acute risk, as the flaw weaponizes the platform’s trust model. CISA has issued an urgent directive with a November 20, 2025, remediation deadline, mandating immediate patching or complete discontinuation of XWiki if patching is infeasible. The CVSS 9.8 (Critical) severity reflects the vulnerability’s low attack complexity and network-based exploitation potential. While no active ransomware campaigns are confirmed, the flaw’s accessibility and severity make it a prime target for rapid weaponization by advanced threat actors. Failure to remediate risks system takeover, sensitive data exposure, and operational disruption, with cloud deployments subject to additional compliance mandates under BOD 22-01.
Source: https://cyberpress.org/cisa-warns-of-xwiki-injection-flaw/
TPRM report: https://www.rankiteo.com/company/xwiki
"id": "xwi2092520103125",
"linkid": "xwiki",
"type": "Vulnerability",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'type': ['Organizations using XWiki Platform']}],
'attack_vector': 'Network',
'customer_advisories': ['Organizations using XWiki Platform urged to patch '
'immediately or discontinue use'],
'data_breach': {'data_exfiltration': ['Potential risk if exploited']},
'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
'has formally added CVE-2025-24893 to its Known Exploited '
'Vulnerabilities catalog, drawing urgent attention to a '
'critical eval injection flaw affecting XWiki Platform. This '
'vulnerability permits any guest user to execute arbitrary '
'remote code without requiring authentication, posing an acute '
'security risk to organizations deploying this widely used '
'open-source wiki platform across their infrastructure.\n'
'\n'
'The vulnerability stems from improper handling of eval '
'functions within the XWiki Platform’s SolrSearch component, '
'classified under CWE-95 for the improper neutralization of '
'directives in dynamically evaluated code. Unauthenticated '
'attackers can craft specially engineered requests to inject '
'malicious code, bypassing established security controls and '
'gaining complete command execution capabilities on affected '
'systems.\n'
'\n'
'Once code execution is achieved, threat actors inherit the '
'same privileges as the web server process, enabling them to '
'exfiltrate sensitive organizational data, deploy malware '
'payloads, or establish persistent network footholds for '
'lateral movement attacks. CISA has established November 20, '
'2025, as the critical remediation deadline for organizations '
'operating affected XWiki Platform instances.',
'impact': {'brand_reputation_impact': ['High risk due to potential data '
'breaches and system compromise'],
'operational_impact': ['Potential exfiltration of sensitive '
'organizational data',
'Deployment of malware payloads',
'Persistent network footholds for lateral '
'movement',
'Complete compromise of system integrity '
'and data confidentiality'],
'systems_affected': ['XWiki Platform deployments (development, '
'testing, production environments)']},
'initial_access_broker': {'backdoors_established': ['Potential if exploited'],
'entry_point': ['XWiki Platform SolrSearch '
'component via eval injection'],
'high_value_targets': ['Organizational data, web '
'server process privileges']},
'investigation_status': 'Ongoing (CISA advisory issued, no active '
'exploitation documented yet)',
'lessons_learned': ['Critical vulnerabilities in open-source platforms with '
'guest access can be weaponized by threat actors with low '
'complexity.',
'Immediate patching or discontinuation of vulnerable '
'software is essential when exploitation risk is high.',
'Network segmentation and inventory management are '
'critical defensive measures during vulnerability '
'windows.'],
'post_incident_analysis': {'corrective_actions': ['Apply security patches',
'Discontinue use if '
'patching is not feasible',
'Implement network '
'segmentation',
'Enhance monitoring for '
'suspicious activity'],
'root_causes': ['Improper neutralization of '
'directives in dynamically '
'evaluated code (CWE-95)',
'Improper handling of eval '
'functions in SolrSearch component',
'Guest user access model creating '
'exploitable trust']},
'recommendations': ['Inventory all XWiki Platform deployments across '
'development, testing, and production environments.',
'Immediately apply vendor-supplied security patches or '
'discontinue use if patching is not feasible.',
'Implement network segmentation to limit lateral movement '
'in case of exploitation.',
'Monitor CISA advisories for newly disclosed '
'vulnerabilities to proactively mitigate risks.',
'Establish patch testing procedures before '
'enterprise-wide rollout to avoid operational '
'disruptions.',
'Contact XWiki support for patch availability and '
'guidance.'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities Catalog'},
{'source': 'CISA Binding Operational Directive (BOD) 22-01'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Binding '
'Operational Directive '
'(BOD) 22-01 for '
'vulnerability '
'management in cloud '
'services']},
'response': {'containment_measures': ['Discontinue XWiki Platform usage if '
'patching is not feasible',
'Network segmentation to restrict '
'lateral movement'],
'network_segmentation': 'Recommended to restrict lateral '
'movement',
'remediation_measures': ['Immediate implementation of '
'vendor-supplied security patches',
'Inventory all XWiki Platform '
'deployments (development, testing, '
'production)',
'Establish patch testing procedures '
'before enterprise-wide rollout'],
'third_party_assistance': ['XWiki support for patch availability '
'information']},
'stakeholder_advisories': ['CISA mandates remediation by November 20, 2025'],
'title': 'Critical Eval Injection Vulnerability in XWiki Platform '
'(CVE-2025-24893)',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Eval Injection'],
'vulnerability_exploited': {'affected_component': 'SolrSearch',
'affected_product': 'XWiki Platform',
'attack_complexity': 'Low',
'authentication_required': 'None',
'cve_id': 'CVE-2025-24893',
'cvss_score': 9.8,
'cvss_severity': 'Critical',
'vulnerability_type': 'Eval Injection (CWE-95)'}}