RondoDox Botnet Exploits Critical XWiki Vulnerability
The cybersecurity landscape is witnessing a concerning trend as the RondoDox botnet malware begins to exploit unpatched XWiki instances. This surge is a direct result of a serious vulnerability, identified as CVE-2025-24893, which has a CVSS score of 9.8. This issue could permit attackers to execute arbitrary code on affected systems.
Understanding the Vulnerability
CVE-2025-24893 is specifically an eval injection flaw. It enables unauthorized guest users to perform remote code execution by targeting the “/bin/get/Main/SolrSearch” endpoint. The XWiki maintainers addressed this vulnerability in versions 15.10.11, 16.4.1, and 16.5.0RC1, released in late February 2025. However, despite these patches, the exploit has been observed in the wild since at least March.
Timeline of Exploitation Attempts
Recent reports from VulnCheck indicate that exploitation attempts have significantly increased, especially noted in late October. These attempts were not only focused on exploiting the vulnerability but also part of a two-stage attack aimed at deploying cryptocurrency miners. As highlighted, a notable spike occurred on November 7, followed by another surge on November 11, signaling that various threat actors are actively scanning for vulnerable XWiki instances.
CISA Responds to the Threat
In light of these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are mandated to implement necessary mitigations by November 20 to prevent potential breaches.
Insights into RondoDox Activity
According to VulnCheck, the RondoDox botnet is expanding rapidly, aiming to incorporate exposed devices into its network for executing distributed denial-of-service (DDoS) attacks. The initial exploitation of RondoDox was recorded on November 3, 2025. The botnet is utilizing multiple protocols, including HTTP, UDP, and TCP, to orchestrate these attacks.
Besides DDoS attacks, various methods are being employed to exploit this vulnerability. This includes attacks aimed at delivering cryptocurrency mining software, establishing reverse shell connections, and general probing activities using a Nuclei template specific to CVE-2025-24893.
The Importance of Prompt Patch Management
The ongoing exploitation of CVE-2025-24893 underlines the critical need for organizations to maintain robust patch management strategies. Ensuring timely updates can significantly bolster defenses against emerging threats.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” noted Jacob Baines, a cybersecurity expert at VulnCheck. He emphasized that within days of the initial exploitation, various actors, including botnets and miners, quickly capitalized on the same vulnerability.
