The exploitation of the recent XWiki vulnerability has expanded to botnets, cryptocurrency miners, scanners, and custom tools.
November 17, 2025 By Ionut Arghire
Threat actors started exploiting a critical XWiki vulnerability en masse within two weeks of the bug being reported as exploited in the wild, VulnCheck warns.
Tracked as CVE-2025-24893 (CVSS score of 9.8), the flaw was discovered in May 2024 and patched in June 2024, but a CVE identifier was assigned to it only in early 2025, after technical information became public.
The bug exists because, in XWiki versions before 15.10.11, 16.4.1 and 16.5.0RC1, user-supplied input to a search function is improperly sanitized, allowing remote, unauthenticated attackers to execute arbitrary code via crafted requests to the search endpoint.
Proof-of-concept (PoC) code targeting the issue has been publicly available since early 2025, and security researchers observed the defect being targeted in reconnaissance attempts, but in-the-wild exploitation started only last month.
