RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet (CVE-2025-24893 (CVSS 9.8))

Estimated reading time: 10 minutes

Key takeaways:

  • RondoDox botnet is exploiting CVE-2025-24893 in unpatched XWiki servers.
  • CISA has added CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog.
  • Immediate patching and continuous monitoring are crucial for mitigation.

Table of Contents:

  1. CVE-2025-24893: RondoDox Botnet Expansion Vector
  2. Technical Takeaways
  3. Business-Oriented Takeaways
  4. Cybersecurity and Your Business
  5. PurpleOps Expertise
  6. Cybersecurity Webinars
  7. Latest News
  8. Who’s Really Using Your SaaS? The Rise of Non-Human Identities
  9. FAQ

RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet (CVE-2025-24893 (CVSS 9.8))

The RondoDox botnet is actively exploiting a critical vulnerability, CVE-2025-24893 (CVSS score: 9.8), in unpatched XWiki servers. This eval injection vulnerability allows remote code execution and enables RondoDox to incorporate vulnerable machines into its botnet. The flaw resides in the “/bin/get/Main/SolrSearch” endpoint of XWiki. Successful exploitation grants any guest user the ability to execute arbitrary code remotely.

CVE-2025-24893: RondoDox Botnet Expansion Vector

The vulnerability, CVE-2025-24893, was addressed by XWiki maintainers in versions 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. Despite the availability of patches, unpatched instances remain vulnerable. Evidence suggests that exploitation attempts began as early as March 2025. VulnCheck reported observing renewed exploitation activity in late October 2025, involving a two-stage attack deploying a cryptocurrency miner.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog. This directive mandates that federal agencies implement mitigations by November 20, underscoring the severity and active exploitation of this vulnerability.

VulnCheck’s recent report indicates a significant increase in exploitation attempts, peaking on November 7 and experiencing another surge on November 11. This heightened activity suggests widespread scanning efforts by multiple threat actors, including the RondoDox botnet operators.

RondoDox is expanding its botnet by leveraging CVE-2025-24893. The botnet uses compromised devices to conduct distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The first instance of RondoDox exploiting this vulnerability was observed on November 3, 2025. Beyond RondoDox, other attacks have been observed deploying cryptocurrency miners, establishing reverse shells, and conducting general probing activities. Security researchers are actively using Nuclei templates to identify systems vulnerable to CVE-2025-24893.

This situation reinforces the critical importance of robust patch management practices. According to VulnCheck’s Jacob Baines, CVE-2025-24893 exemplifies a common pattern where initial exploitation is quickly followed by widespread adoption by various threat actors, including botnets, miners, and opportunistic scanners.

Technical Takeaways:

  • Immediate Patching: Ensure all XWiki instances are updated to versions 15.10.11, 16.4.1, or 16.5.0RC1 or later.
  • Intrusion Detection: Implement intrusion detection systems (IDS) with updated signatures to identify exploitation attempts targeting CVE-2025-24893.
  • Vulnerability Scanning: Regularly scan internal and external systems for unpatched XWiki instances using vulnerability scanners.
  • Network Segmentation: Segment networks to limit the potential impact of a compromised XWiki server.
  • Monitor outbound traffic: Closely monitor network traffic for unusual activity that is associated with botnet behavior like DDoS attacks.

Business-Oriented Takeaways:

  • Patch Management Policy: Review and reinforce patch management policies to ensure timely patching of critical vulnerabilities.
  • Incident Response Plan: Update incident response plans to include specific procedures for addressing XWiki-related security incidents.
  • Security Awareness Training: Educate employees about the risks of unpatched software and the importance of reporting suspicious activity.
  • Cybersecurity Insurance: Ensure adequate cybersecurity insurance coverage to mitigate potential financial losses from a successful attack.
  • Vendor Risk Management: Evaluate the security practices of third-party vendors, including those providing XWiki hosting or support services.
  • Understand the supply-chain risk monitoring: Gain a comprehensive understanding of potential vulnerabilities within your supply chain.
  • Implement breach detection: Deploy robust breach detection mechanisms to quickly identify and respond to security incidents.
  • Explore dark web monitoring service: Enhance your security posture by monitoring the dark web for potential threats and data leaks related to your organization.
  • Telegram threat monitoring: Stay informed about emerging threats and vulnerabilities discussed on Telegram channels relevant to cybersecurity.

Cybersecurity and Your Business

The exploitation of CVE-2025-24893 by the RondoDox botnet and other malicious actors highlights the ongoing challenges organizations face in maintaining a strong security posture. Timely patching, continuous monitoring, and proactive threat intelligence are essential for mitigating these risks. The growing sophistication of cyber threats underscores the need for a multi-layered approach to cybersecurity that combines technology, processes, and people.

PurpleOps Expertise

PurpleOps provides comprehensive cybersecurity solutions to help organizations defend against threats like the RondoDox botnet and vulnerabilities like CVE-2025-24893. Our services include:

  • Cyber Threat Intelligence Platform: Access real-time, actionable intelligence to stay ahead of emerging threats. Our cyber threat intelligence platform aggregates data from various sources, including underground forum intelligence, to provide early warnings of potential attacks.
  • Vulnerability Management: Identify and prioritize vulnerabilities in your systems and applications with our comprehensive vulnerability management services.
  • Managed Detection and Response (MDR): Our MDR service provides 24/7 monitoring and response to security incidents, ensuring rapid containment and remediation.
  • Real-time ransomware intelligence: Provide real-time ransomware intelligence to help mitigate risks of attack and safeguard systems.
  • Live ransomware API: Integrate our live ransomware API into your existing security infrastructure for automated threat detection and response.
  • Brand leak alerting: Implement brand leak alerting to detect and mitigate potential damage to reputation from compromised data.

Cybersecurity Webinars

Stop Drowning in Vulnerability Lists

Outsmart Attackers with Dynamic Attack Surface Reduction (DASR): Learn Automated Hardening

Static defenses overwhelm teams with vuln lists. Learn how automation and context-driven reduction close real risks faster.

Register

Securing Cloud Infrastructure

A Practical Guide to Balancing Compliance, Resilience, and Cloud Agility

Learn how to protect cloud workloads, control access, and meet compliance requirements — without slowing innovation.

Register

Latest News

Cybersecurity Resources

*5 Ways to Secure Containers from Build to RuntimeContainers move fast. They’re created and removed in seconds, but the vulnerabilities they introduce can stick around. Learn 5 core practices to help engineering and security teams manage container risk at scale.
*Is identity the weakest link in your agentic AI adoption?Operationalize AI security by protecting the credentials & identities AI agents depend on.
*A Field-Tested AI Security Blueprint — Built by Real-World DefendersBuilt by the experts shaping OWASP and NIST guidance. Ready to use. Download now.
*Discover How to Make CTEM a Reality in 2025: Download Your Guide Now!Ensure CTEM success! Download our ebook for practical tips on using XM Cyber to implement your exposure management strategy.

Expert Insights Articles
Videos

Who’s Really Using Your SaaS? The Rise of Non-Human Identities

**November 10, 2025
Read ➝

Beyond Chrome: Risks of Malicious Extensions Across Traditional and AI Browsers

**November 10, 2025
Read ➝

Identity Migration: Why it Feels Scary, and Necessary Steps for a Smooth Transition

**November 10, 2025
Read ➝

Governing AI Agents: From Enterprise Risk to Strategic Asset

**November 03, 2025
Read ➝

To learn more about how PurpleOps can help protect your organization from cyber threats, explore our platform or contact us for a PurpleOps Solutions. We offer services such as: red team operations, , supply chain information security and ransomware protection, dark web monitoring and cyber threat intelligence.

FAQ

Question: What is CVE-2025-24893?

Answer: CVE-2025-24893 is a critical vulnerability in unpatched XWiki servers that allows remote code execution.

Question: Which XWiki versions address CVE-2025-24893?

Answer: Versions 15.10.11, 16.4.1, and 16.5.0RC1 and later address the vulnerability.

Question: What is the RondoDox botnet?

Answer: The RondoDox botnet is a network of compromised devices used to conduct DDoS attacks.