{"id":8080,"date":"2025-10-31T10:03:27","date_gmt":"2025-10-31T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/31\/cisa-warns-of-xwiki-platform-injection-vulnerability-exploited-to-execute-remote-code\/"},"modified":"2025-10-31T10:03:27","modified_gmt":"2025-10-31T10:03:27","slug":"cisa-warns-of-xwiki-platform-injection-vulnerability-exploited-to-execute-remote-code","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/31\/cisa-warns-of-xwiki-platform-injection-vulnerability-exploited-to-execute-remote-code\/","title":{"rendered":"CISA Warns of XWiki Platform Injection vulnerability Exploited to Execute Remote Code"},"content":{"rendered":"

CISA Warns of XWiki Platform Injection vulnerability Exploited to Execute Remote Code
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe injection vulnerability in the XWiki Platform, designated as CVE-2025-24893<\/a>.<\/p>\n

This flaw allows unauthenticated attackers to execute arbitrary remote code, posing significant risks to organizations using the open-source wiki software.<\/p>\n

Discovered and actively exploited, the vulnerability underscores the dangers of eval injection in web applications<\/a>, particularly those handling search functionalities.<\/p>\n

XWiki, a popular platform for collaborative content management, suffers from this eval injection issue in its SolrSearch feature. Attackers can exploit it without logging in, potentially compromising entire installations.<\/p>\n

CISA added the CVE to its Known Exploited Vulnerabilities catalog on October 30, 2025, emphasizing the need for immediate action amid reports of real-world exploitation.<\/p>\n

While it\u2019s unclear if ransomware groups are leveraging it specifically, the flaw\u2019s severity aligns with tactics seen in broader campaigns targeting content management systems.<\/p>\n

Vulnerability Mechanics and Impact<\/strong><\/h2>\n

At its core, CVE-2025-24893 stems from improper handling of user input in the SolrSearch endpoint, classified under CWE-95 for improper neutralization of directives in dynamically evaluated code. Any guest user can send a crafted request to trigger code execution.<\/p>\n

For instance, a simple test involves accessing the SolrSearch RSS feed with a payload like %7D%7D%7D%7B%7Basync async=false%7D%7D%7B%7Bgroovy%7D%7Dprintln(\u201cHello from\u201d + \u201d search text:\u201d + (23 + 19))%7B%7B\/groovy%7D%7D%7B%7B\/async%7D%7D. If the response includes \u201cHello from search text:42\u201d in the RSS title, the instance is vulnerable.<\/p>\n

The impact is devastating: complete remote code execution undermines confidentiality, integrity, and availability. Attackers could steal data, deploy malware, or pivot to other systems.<\/p>\n

Affected versions include those prior to the patches, primarily impacting enterprise users in education, government, and corporate sectors who rely on XWiki for internal knowledge bases.<\/p>\n

\n\n\n\n\n\n
CVE ID<\/th>\nDescription<\/th>\nAffected Products\/Versions<\/th>\nCVSS 3.1 Score<\/th>\nCWE<\/th>\nExploitation Status<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-24893<\/td>\nEval injection in SolrSearch allowing arbitrary RCE<\/td>\nXWiki Platform < 15.10.11, < 16.4.1, < 16.5.0RC1<\/td>\n9.8 (Critical)<\/td>\nCWE-95<\/td>\nActively exploited in the wild<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigations<\/strong><\/h2>\n

CISA urges<\/a> users to promptly apply vendor mitigations, adhere to Binding Operational Directive 22-01 for cloud services<\/a>, or discontinue use of the product if patches are unavailable.<\/p>\n

XWiki has released fixes in versions 15.10.11, 16.4.1, and 16.5.0RC1, which sanitize inputs and prevent eval execution.<\/p>\n

As a temporary workaround, administrators can modify the Main.SolrSearchMacros file, specifically line 955, to enforce an application\/xml content type for the rawResponse macro, mirroring the template\u2019s secure output handling.<\/p>\n

This blocks malicious payloads without a full upgrade. Organizations should also monitor logs for suspicious SolrSearch requests and restrict guest access where possible.<\/p>\n

This incident highlights the ongoing threats to legacy web platforms. With exploitation confirmed, swift patching remains critical to safeguard sensitive environments.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post CISA Warns of XWiki Platform Injection vulnerability Exploited to Execute Remote Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

CISA Warns of XWiki Platform Injection vulnerability Exploited to Execute Remote Code The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a severe injection vulnerability in the XWiki Platform, designated as CVE-2025-24893. This flaw allows unauthenticated attackers to execute arbitrary remote code, posing significant risks to organizations using the open-source […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-8080","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8080"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8080"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8080\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8080"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8080"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8080"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}