CVE-2025-24893
Published: 20 February 2025
Summary
CVE-2025-24893 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
XWiki Platform, a generic wiki platform, contains a remote code execution vulnerability in its SolrSearch component that permits unauthenticated guests to execute arbitrary code. The flaw stems from insufficient input sanitization in the handling of the "text" parameter for RSS media responses, allowing injection of Groovy scripts via the async macro; successful exploitation grants full control over the confidentiality, integrity, and availability of the XWiki instance.
An attacker can trigger the issue with a single unauthenticated HTTP GET request to a URL such as /xwiki/bin/get/Main/SolrSearch?media=rss&text= followed by a crafted payload containing nested async and Groovy macros. This executes server-side code without requiring authentication or user interaction, as demonstrated by the provided reproduction that prints calculated output in the RSS feed title.
The official XWiki security advisory and associated patches state that the vulnerability is fixed in versions 15.10.11, 16.4.1, and 16.5.0RC1; administrators unable to upgrade can apply a workaround by editing Main.SolrSearchMacros in SolrSearchMacros.xml at line 955 to invoke the rawResponse macro from macros.vm with an explicit application/xml content type.
The EPSS score stands at 0.9366 with a recorded peak of 0.9424, indicating sustained high exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4562
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole…
more
XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
- CWE(s)
- KEV Date Added
- 30 October 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated RCE in the public-facing XWiki SolrSearch component via server-side template injection (Groovy), directly matching exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates this RCE vulnerability by requiring timely patching to fixed XWiki versions 15.10.11, 16.4.1, or 16.5.0RC1.
Prevents SSTI exploitation by validating user-supplied 'text' input in SolrSearch RSS requests to block malicious Groovy payloads.
Secures SolrSearchMacros configuration to enforce application/xml content type per workaround, preventing direct feed output and code execution.