Cyber Resilience

CVE-2025-24893

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 20 February 2025

Published
20 February 2025
Modified
31 October 2025
KEV Added
30 October 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9366 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24893 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

XWiki Platform, a generic wiki platform, contains a remote code execution vulnerability in its SolrSearch component that permits unauthenticated guests to execute arbitrary code. The flaw stems from insufficient input sanitization in the handling of the "text" parameter for RSS media responses, allowing injection of Groovy scripts via the async macro; successful exploitation grants full control over the confidentiality, integrity, and availability of the XWiki instance.

An attacker can trigger the issue with a single unauthenticated HTTP GET request to a URL such as /xwiki/bin/get/Main/SolrSearch?media=rss&text= followed by a crafted payload containing nested async and Groovy macros. This executes server-side code without requiring authentication or user interaction, as demonstrated by the provided reproduction that prints calculated output in the RSS feed title.

The official XWiki security advisory and associated patches state that the vulnerability is fixed in versions 15.10.11, 16.4.1, and 16.5.0RC1; administrators unable to upgrade can apply a workaround by editing Main.SolrSearchMacros in SolrSearchMacros.xml at line 955 to invoke the rawResponse macro from macros.vm with an explicit application/xml content type.

The EPSS score stands at 0.9366 with a recorded peak of 0.9424, indicating sustained high exploitation probability since disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole…

more

XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

CWE(s)
KEV Date Added
30 October 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated RCE in the public-facing XWiki SolrSearch component via server-side template injection (Groovy), directly matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-51991Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-53835Same product: Xwiki Xwiki
CVE-2025-55727Same vendor: Xwiki

Affected Assets

xwiki
xwiki
5.3 · 5.4 — 15.10.11 · 16.0.0 — 16.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates this RCE vulnerability by requiring timely patching to fixed XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1.

prevent

Prevents SSTI exploitation by validating user-supplied 'text' input in SolrSearch RSS requests to block malicious Groovy payloads.

prevent

Secures SolrSearchMacros configuration to enforce application/xml content type per workaround, preventing direct feed output and code execution.

References