Botnet malware named RondoDox has been observed targeting unpatched XWiki instances against a serious security flaw that could allow attackers to achieve arbitrary code execution.
The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution via a request to the “/bin/get/Main/SolrSearch” endpoint. It was patched by maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
Although there was evidence that the flaw had been wildly exploited since at least March, it was not until late October that Vulancheck revealed that he had seen new attempts to weaponize the flaw as part of a two-stage attack chain to deploy cryptocurrency miners.
Subsequently, the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the necessary mitigations by November 20.
In a recent report published on Friday, Vulancheck revealed that it has since seen an increase in exploit attempts, reaching a new high on November 7, followed by another surge on November 11. This indicates widespread scanning activity likely driven by multiple threat actors participating in the effort.
This includes Rondodox, a botnet that is rapidly adding new exploit vectors to connect susceptible devices to the botnet to conduct distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. According to the cybersecurity company, the first Rondodox exploit was spotted on November 3, 2025.
Other attacks have been seen exploiting the flaw to distributed cryptocurrency miners, as well as attempting to establish a reverse shell and general investigative activity using the Nuclei template for CVE-2025-24893.
The findings once again demonstrate the need to adopt robust patch management practices to ensure optimal security.
“CVE-2025-24893 is a familiar story: One attacker moves first, and many follow,” said Vulancheck’s Jacob Benes. “Within days of the initial exploit, we saw botnets, miners, and opportunistic scanners adopting the same vulnerability.”
