Summary
CVE-2025-24893 is a critical RCE vulnerability in XWiki, caused by unsafe Groovy expression handling inside the SolrSearch macro. An attacker can inject Groovy code through a crafted GET request, leading to remote code execution (no authentication required).
- Severity: Critical (CVSS 9.8)
- Affected: Versions < 15.10.11, 16.4.1, 16.5.0RC1
๐ Technical Breakdown
The vulnerability resides in the SolrSearch macro (Main.SolrSearch) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for arbitrary code execution.
๐ฅ Vulnerable Endpoint
/xwiki/bin/get/Main/SolrSearch?media=rss&text=An attacker can inject Groovy code into the text parameter, which is evaluated server-side due to improper input handling within the macro system.
๐ฅ Example Payload
{% raw %} }}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}} {% endraw %}This leads to unauthenticated Remote Code Execution (RCE) on vulnerable XWiki instances.
๐ฌ Proof-of-Concept (PoC) Demonstration
๐งช Target Environment
The vulnerable target is an XWiki instance running version 15.10.8, which is affected by CVE-2025-24893.
๐ก Preparing the Listener
Start a Netcat listener on the attacker’s machine to capture the reverse shell connection:
๐ Launching the Exploit
Run the exploit script CVE-2025-24893-dbs.py to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.
๐ป Successful Remote Shell Access
Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.
๐ References
- OffSec Blog: CVE-2025-24893 XWiki Groovy RCE
- NVD Entry: CVE-2025-24893
