CVE-2025-24893

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

Comprehensive Technical Analysis of CVE-2025-24893

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2025-24893

Description: The XWiki Platform, a generic wiki platform offering runtime services for applications, is vulnerable to arbitrary remote code execution (RCE) through a specially crafted request to the SolrSearch endpoint. This vulnerability allows any guest user to execute arbitrary code, compromising the confidentiality, integrity, and availability of the entire XWiki installation.

CVSS Score: 9.8

Severity Evaluation: A CVSS score of 9.8 indicates a critical vulnerability. The high score is due to the ease of exploitation, the lack of authentication requirements, and the severe impact on the system's confidentiality, integrity, and availability.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Unauthenticated Access: The vulnerability can be exploited without any authentication, making it highly accessible to attackers.
Remote Code Execution (RCE): The primary attack vector involves sending a malicious request to the SolrSearch endpoint, which allows the execution of arbitrary code.

Exploitation Methods:

Crafted URL: An attacker can send a specially crafted URL to the SolrSearch endpoint, which includes a payload that executes arbitrary code. For example:

<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

Payload Execution: The payload can include Groovy script code, which is executed on the server, allowing the attacker to perform various malicious actions such as data exfiltration, system compromise, or further exploitation.

3. Affected Systems and Software Versions

Affected Versions:

XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1.

Systems:

Any system running the affected versions of XWiki Platform.

4. Recommended Mitigation Strategies

Immediate Mitigation:

Upgrade: Users are strongly advised to upgrade to the patched versions: XWiki 15.10.11, 16.4.1, or 16.5.0RC1.
Temporary Workaround: For users unable to upgrade immediately, edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml, instead of simply outputting the content of the feed.

Long-Term Mitigation:

Regular Patching: Implement a regular patching and update schedule for all software components.
Access Controls: Enforce strict access controls and authentication mechanisms to limit unauthorized access.
Monitoring and Logging: Implement robust monitoring and logging to detect and respond to suspicious activities promptly.

5. Impact on Cybersecurity Landscape

Immediate Impact:

Widespread Exploitation: Given the ease of exploitation and the critical nature of the vulnerability, there is a high risk of widespread exploitation.
Data Breaches: Organizations using the affected versions of XWiki Platform are at risk of data breaches, unauthorized access, and system compromise.

Long-Term Impact:

Increased Awareness: This vulnerability highlights the importance of regular patching and the need for robust security measures in open-source software.
Enhanced Security Practices: The incident may lead to enhanced security practices and more stringent code reviews in the development community.

6. Technical Details for Security Professionals

Exploit Reproduction: To reproduce the vulnerability, perform the following steps:

Access the XWiki instance without logging in.

Send a request to the SolrSearch endpoint with the crafted URL:

<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

Check the output and the title of the RSS feed. If the title contains Hello from search text:42, the instance is vulnerable.

Patch Analysis:

The vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
The patch involves modifying the SolrSearchMacros.xml file to ensure that the rawResponse macro correctly handles the content type, preventing arbitrary code execution.

References:

By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and protect their systems from potential attacks.

Description

Comprehensive Technical Analysis of CVE-2025-24893

1. Vulnerability Assessment and Severity Evaluation

CVE ID: CVE-2025-24893

CVSS Score: 9.8

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Unauthenticated Access: The vulnerability can be exploited without any authentication, making it highly accessible to attackers.
Remote Code Execution (RCE): The primary attack vector involves sending a malicious request to the SolrSearch endpoint, which allows the execution of arbitrary code.

Exploitation Methods:

Crafted URL: An attacker can send a specially crafted URL to the SolrSearch endpoint, which includes a payload that executes arbitrary code. For example:

<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

Payload Execution: The payload can include Groovy script code, which is executed on the server, allowing the attacker to perform various malicious actions such as data exfiltration, system compromise, or further exploitation.

3. Affected Systems and Software Versions

Affected Versions:

XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1.

Systems:

Any system running the affected versions of XWiki Platform.

4. Recommended Mitigation Strategies

Immediate Mitigation:

Upgrade: Users are strongly advised to upgrade to the patched versions: XWiki 15.10.11, 16.4.1, or 16.5.0RC1.
Temporary Workaround: For users unable to upgrade immediately, edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml, instead of simply outputting the content of the feed.

Long-Term Mitigation:

Regular Patching: Implement a regular patching and update schedule for all software components.
Access Controls: Enforce strict access controls and authentication mechanisms to limit unauthorized access.
Monitoring and Logging: Implement robust monitoring and logging to detect and respond to suspicious activities promptly.

5. Impact on Cybersecurity Landscape

Immediate Impact:

Widespread Exploitation: Given the ease of exploitation and the critical nature of the vulnerability, there is a high risk of widespread exploitation.
Data Breaches: Organizations using the affected versions of XWiki Platform are at risk of data breaches, unauthorized access, and system compromise.

Long-Term Impact:

Increased Awareness: This vulnerability highlights the importance of regular patching and the need for robust security measures in open-source software.
Enhanced Security Practices: The incident may lead to enhanced security practices and more stringent code reviews in the development community.

6. Technical Details for Security Professionals

Exploit Reproduction: To reproduce the vulnerability, perform the following steps:

Access the XWiki instance without logging in.

Send a request to the SolrSearch endpoint with the crafted URL:

<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20

Check the output and the title of the RSS feed. If the title contains Hello from search text:42, the instance is vulnerable.

Patch Analysis:

The vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1.
The patch involves modifying the SolrSearchMacros.xml file to ensure that the rawResponse macro correctly handles the content type, preventing arbitrary code execution.

References:

By addressing this vulnerability promptly and implementing robust security measures, organizations can mitigate the risk of exploitation and protect their systems from potential attacks.

XWiki Platform Eval Injection Vulnerability

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2025-24893

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

Exploits

XWiki Platform 15.10.10 - Remote Code Execution

XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)

References

CVE-2025-24893

XWiki Platform Eval Injection Vulnerability

Weakness (CWE)

CVSS Vector

Description

Comprehensive Technical Analysis of CVE-2025-24893

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on Cybersecurity Landscape

6. Technical Details for Security Professionals

Exploits

XWiki Platform 15.10.10 - Remote Code Execution

XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)

References