A critical remote code execution vulnerability, tracked as CVE-2025-24893, has been exploited in the wild by attackers deploying cryptocurrency mining malware through XWiki, a popular open-source wiki platform. The flaw allows unauthenticated attackers to inject malicious templates and execute arbitrary code, bypassing authentication altogether. This situation underscores how exploitation can occur before formal recognition, leaving organizations vulnerable.
The exploitation process is sophisticated, unfolding in two phases to evade detection. Initial requests involve injecting an asynchronous Groovy payload into the SolrSearch endpoint to download scripts from a command-and-control server. Approximately 20 minutes later, a second request executes the downloaded script, which coordinates the payload delivery sequence. This mining operation uses a Monero wallet for payouts, highlighting a persistent but low-sophistication threat detected by VulnCheck, a vulnerability intelligence firm.
Organizations using XWiki must patch immediately to version 15.10.6 or later, monitor for suspicious wget traffic, and scan for indicators of compromise (IOCs) associated with this exploit. Threat intelligence from VulnCheck provides critical insights into proactive measures against emerging cybersecurity threats.
👉 Pročitaj original: Cyber Security News
