CVE-2025-24893 - RondoDox Botnet Targets Unpatched XWiki Servers
Category:Threat Alerts
CVE-2025-24893 affects XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1, enabling remote code execution through an eval injection bug triggered via the “/bin/get/Main/SolrSearch” endpoint. RondoDox operators now automate exploitation at scale, mapped to T1190 (Exploit Public-Facing Application) and T1498 (Network Denial of Service). VulnCheck reported significant exploitation spikes on November 7 and 11, with botnets, miners, and opportunistic scanners weaponizing the flaw simultaneously. The vulnerability’s unauthenticated nature makes it ideal for mass scanning, allowing attackers to join compromised servers into DDoS infrastructures rapidly. CISA added CVE-2025-24893 to the KEV catalog, mandating government patching by November 20. Organizations running XWiki risk service outages, data exposure, and forced enrollment into botnets unless patched immediately.
CORTEX Protocol Intelligence Assessment
Business Impact: Unpatched XWiki deployments face severe service disruption and reputational damage if absorbed into RondoDox botnet operations. Regulatory exposure increases when compromised instances allow data exfiltration or service outages. Technical Context: Attackers exploit the unauthenticated SolrSearch endpoint to inject arbitrary code remotely. Once executed, the malware deploys DDoS modules that leverage compromised servers for large-scale attacks.
Strategic Intelligence Guidance
- Patch XWiki to versions 15.10.11, 16.4.1, or 16.5.0RC1 immediately.
- Implement WAF rules blocking suspicious SolrSearch requests.
- Isolate XWiki servers from sensitive internal assets.
- Monitor for unusual outbound traffic and DDoS modules.
CVEs
Vendors
Threats
Targets
Intelligence Source: CVE-2025-24893 - RondoDox Botnet Targets Unpatched XWiki Servers | Nov 16, 2025