RondoDox Botnet Exploits Unpatched XWiki Servers via CVE-2025-24893
Executive Summary
In November 2025, cybersecurity researchers identified a widescale campaign leveraging the RondoDox botnet to exploit unpatched XWiki server instances. Attackers targeted CVE-2025-24893—a critical eval injection vulnerability with a CVSS score of 9.8—allowing unauthenticated remote code execution through manipulated HTTP requests. Once compromised, affected XWiki servers were conscripted into the botnet, enabling further lateral spread and facilitating command-and-control capabilities for adversaries. Organizations reliant on XWiki for content collaboration faced outages, data exposure, and the threat of secondary attacks as RondoDox rapidly weaponized unremediated systems.
The RondoDox campaign underscores a growing trend in the automated exploitation of high-severity vulnerabilities in open-source platforms. As threat actors increasingly target collaborative SaaS and wiki services, enterprises face heightened demands for rapid patch management, proactive threat detection, and adherence to zero trust principles to minimize supply chain risk.
Why This Matters Now
The RondoDox/XWiki intrusion demonstrates the urgent need for organizations to swiftly patch known vulnerabilities, especially in widely used open-source tools. The rapid weaponization of CVE-2025-24893 highlights how botnets continue to serve as force multipliers for attackers, making unpatched systems vulnerable to large-scale compromise, regulatory scrutiny, and operational disruption.
Attack Path Analysis
RondoDox attackers exploited an unpatched eval injection vulnerability (CVE-2025-24893) in public XWiki servers, gaining remote code execution. Following initial compromise, adversaries likely leveraged the compromised access to escalate privileges and establish deeper persistence on the system. The malware then moved laterally, attempting to infect additional internal hosts and workloads. For command and control, compromised systems established outbound connections to remote C2 infrastructure using encrypted or obfuscated channels. Exfiltration likely involved siphoning device data or botnet signals to remote infrastructure. Finally, attackers established the device as a new node in the botnet, enabling ongoing impact through participation in malicious campaigns or DDoS attacks.
Kill Chain Progression
Initial Compromise
Description
Exploited the unpatched CVE-2025-24893 eval injection vulnerability in exposed XWiki servers to achieve remote code execution.
Related CVEs
CVE-2025-24893
CVSS 9.8An eval injection vulnerability in XWiki's SolrSearch macro allows unauthenticated remote code execution, compromising confidentiality, integrity, and availability.
Affected Products:
XWiki XWiki Platform – >= 5.3-milestone-2, < 15.10.11, >= 16.0.0-rc-1, < 16.4.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Application Layer Protocol: Web Protocols
Create Account
Ingress Tool Transfer
Develop Capabilities: Malware
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Addressing Security Vulnerabilities
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework — Prevention, Detection, and Response
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Patch and Vulnerability Management
Control ID: Asset Management — Patch & Vulnerability Management
NIS2 Directive – Technical and Organizational Measures — Vulnerability Handling
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
XWiki server vulnerabilities expose IT infrastructure to RondoDox botnet recruitment, requiring immediate patching and enhanced network segmentation controls.
Computer Software/Engineering
Software development environments using XWiki face critical eval injection risks enabling arbitrary code execution and botnet compromise scenarios.
Higher Education/Acadamia
Academic institutions commonly deploying XWiki for collaboration face severe botnet integration risks through unpatched CVE-2025-24893 exploitation vectors.
Government Administration
Government XWiki deployments present high-value botnet targets with compliance violations spanning NIST frameworks and critical infrastructure protection requirements.
Sources
- RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnethttps://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.htmlVerified
- RondoDox expands botnet by exploiting XWiki RCE bug left unpatched since February 2025https://securityaffairs.com/184702/malware/rondodox-expands-botnet-by-exploiting-xwiki-rce-bug-left-unpatched-since-february-2025.htmlVerified
- CVE-2025-24893 - XWiki 'SolrSearch' Remote Code Execution Vulnerability Exploited by Unauthenticated Usershttps://www.cve.news/cve-2025-24893/Verified
- CVE-2025-24893 | Armis Vulnerability Intelligence Databasehttps://cve.armis.com/cve-2025-24893Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust controls such as segmentation, east-west traffic security, inline threat detection, and egress policy enforcement would have contained or detected malicious actions at multiple kill chain stages, limiting the spread of compromise and preventing botnet participation.
Control: Cloud Firewall (ACF)
Mitigation: Blocked exploit attempts at the cloud perimeter.
Control: Inline IPS (Suricata)
Mitigation: Detected or prevented privilege escalation behaviors.
Control: East-West Traffic Security
Mitigation: Prevented unauthorized east-west traffic for lateral movement.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked outbound C2 communications.
Control: Encrypted Traffic (HPE)
Mitigation: Monitored and encrypted outbound sensitive data flows.
Contained compromised workloads and isolated their network presence.
Impact at a Glance
Affected Business Functions
- Content Management
- Internal Documentation
- Collaborative Workflows
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive internal documentation and user data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict cloud firewalling and minimize exposure of vulnerable applications to the internet.
- • Deploy east-west traffic controls and zero trust segmentation to halt internal lateral movement.
- • Apply robust egress filtering policies to block unsolicited outbound communication and C2 attempts.
- • Utilize inline threat detection (IPS) and anomaly monitoring for rapid response to privilege escalation and attack patterns.
- • Regularly patch public-facing workloads and validate posture with centralized cloud visibility and control.
