CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-24893

CVSS 9.8v3.1pub. 2025-02-20upd. 2025-10-31

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

🤖 AI Analysis
How it works

An attacker sends an HTTP GET request to the path `/xwiki/bin/get/Main/SolrSearch` with a `text` parameter containing a malicious payload in XWiki template format (e.g., a `{{groovy}}` block). The `SolrSearch` endpoint in vulnerable versions does not properly sanitize input data before processing, which enables Groovy code injection and evaluation (CWE-94, CWE-95) on the server side. The attack requires no authentication or user interaction — a single network request is sufficient.

Impact

An attacker gains the ability to execute arbitrary code on the server (RCE), which threatens the confidentiality, integrity, and availability of the entire XWiki installation, including access to all user data and server infrastructure.

Mitigation & patch

XWiki should be updated to version 15.10.11, 16.4.1, or 16.5.0RC1. Users who cannot perform an update should manually edit the `Main.SolrSearchMacros` file (`SolrSearchMacros.xml`, line 955) — the `rawResponse` macro should be adjusted to set the content type to `application/xml` instead of directly outputting the RSS feed content, following the pattern from the `macros.vm` file (line 2824).

Who is affected

XWiki Platform in all versions preceding 15.10.11, 16.4.1, and 16.5.0RC1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    5.35.4 – 15.10.11 (bez)16.0.0 – 16.4.1 (bez)

CISA KEV — detailsi

Vendori
XWiki
Producti
Platform
Added to KEVi
October 30, 2025
Remediation deadline (US Federal)i
November 20, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

XWiki Platform contains an eval injection vulnerability that could allow any guest to perform arbitrary remote code execution through a request to SolrSearch.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 20 listopada 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra

CVE-2025-53835CRITICAL9.0PL ✓ten sam produkt

XWiki Rendering: XSS przez składnię xdom+xml/current w XHTML