The botnet malware known as RondoDox now targets unpatched XWiki instances and, as a result, exploits a critical security flaw that allows attackers to achieve arbitrary code execution.
Meanwhile, the vulnerability in question, CVE-2025-24893 (CVSS score: 9.8), involves an eval injection bug that allows any guest user to perform arbitrary remote code execution through a request to the “/bin/get/Main/SolrSearch” endpoint. Consequently, the maintainers patched the issue in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
While evidence showed that attackers exploited the shortcoming in the wild as early as March, the situation escalated in late October when VulnCheck Disclosed that it Observed fresh attempts Weaponizing the flaw as part of a Two-stage attack chain deploying a Cryptocurrency miner.
Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and required federal agencies to apply necessary mitigations by November 20.
In a fresh report published Friday, VulnCheck revealed that it observed a spike in exploitation attempts, reaching a new high on November 7 and then surging again on November 11. This trend indicates broader scanning activity likely driven by multiple threat actors participating in the effort.
This activity includes RondoDox, a botnet that rapidly adds new exploitation vectors to rope susceptible devices into a botnet for conducting Distributed Denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The Cybersecurity company observed the first RondoDox exploit on November 3, 2025.
Other attacks exploit the flaw to deliver Cryptocurrency miners, establish a reverse shell, and perform general probing activity using a Nuclei template for CVE-2025-24893.
These findings once again show the need for organizations to adopt robust patch management practices to ensure optimal protection.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” VulnCheck’s Jacob Baines said. “Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.”
Source: TheHackerNews
Read more at Impreza News
