RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet
Estimated reading time: 8 minutes
Key takeaways:
- The RondoDox botnet is exploiting CVE-2025-24893 in unpatched XWiki instances.
- This vulnerability allows for arbitrary code execution and botnet integration.
- Organizations should patch their XWiki servers immediately and implement intrusion detection systems.
Table of Contents:
- RondoDox Exploits Unpatched XWiki Servers: A Deep Dive
- Technical Details of CVE-2025-24893
- Timeline of Exploitation
- RondoDox Botnet Capabilities
- Other Observed Attack Vectors
- Implications for Organizations
- Practical Takeaways
- PurpleOps and Vulnerability Management
- Additional Security Measures
- FAQ
RondoDox Exploits Unpatched XWiki Servers: A Deep Dive
The RondoDox botnet is actively leveraging CVE-2025-24893, a critical security flaw affecting unpatched XWiki servers. This vulnerability, which carries a CVSS score of 9.8, allows unauthorized remote code execution. The botnet uses this exploit to incorporate susceptible devices into its network, subsequently leveraging them for distributed denial-of-service (DDoS) attacks.
Technical Details of CVE-2025-24893
CVE-2025-24893 is an eval injection vulnerability found in the “/bin/get/Main/SolrSearch” endpoint of XWiki. This flaw allows any guest user to execute arbitrary code remotely. The vulnerability was addressed by XWiki maintainers in versions 15.10.11, 16.4.1, and 16.5.0RC1, released in late February 2025.
Timeline of Exploitation
Exploitation of CVE-2025-24893 has been observed in several stages:
- Initial Exploitation: Evidence suggests the vulnerability was exploited in the wild starting in March 2025.
- Public Disclosure: In late October 2025, VulnCheck disclosed that it had observed active attempts to weaponize the vulnerability. These attempts were part of a two-stage attack chain used to deploy a cryptocurrency miner.
- CISA Intervention: Following the disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply mitigations by November 20.
- Increased Activity: VulnCheck reported a significant increase in exploitation attempts, peaking on November 7 and again on November 11. This surge indicates widespread scanning activity, suggesting multiple threat actors are now actively exploiting the flaw.
- RondoDox Integration: The first recorded RondoDox exploit using this vulnerability occurred on November 3, 2025.
RondoDox Botnet Capabilities
The RondoDox botnet is designed to conduct DDoS attacks using HTTP, UDP, and TCP protocols. By exploiting CVE-2025-24893, RondoDox expands its network of compromised devices, increasing its capacity to launch and sustain these attacks.
Other Observed Attack Vectors
In addition to RondoDox activity, exploitation attempts have also been observed delivering cryptocurrency miners, establishing reverse shells, and general probing activity using a Nuclei template specifically designed for CVE-2025-24893.
Implications for Organizations
The widespread exploitation of CVE-2025-24893 underscores the critical importance of timely patch management. The rapid adoption of this exploit by multiple threat actors highlights the speed at which vulnerabilities can be weaponized and the potential for significant damage.
Practical Takeaways
Technical Readers:
- Immediate Patching: Ensure all XWiki instances are updated to versions 15.10.11, 16.4.1, or 16.5.0RC1 to address CVE-2025-24893.
- Intrusion Detection: Implement intrusion detection systems (IDS) to monitor for exploitation attempts targeting the “/bin/get/Main/SolrSearch” endpoint.
- Vulnerability Scanning: Conduct regular vulnerability scans to identify and remediate unpatched systems. Consider using a cyber threat intelligence platform to stay informed about emerging threats and vulnerabilities.
- Breach detection: Monitor for unusual network activity that might indicate a compromise, such as unauthorized outbound connections.
Non-Technical Readers:
- Patch Management Policies: Establish and enforce robust patch management policies to ensure systems are updated promptly.
- Security Awareness Training: Educate employees about the importance of keeping software up-to-date and the risks associated with unpatched systems.
- Incident Response Plan: Develop and maintain an incident response plan to effectively address security incidents. This should include procedures for identifying, containing, and recovering from a compromise.
- Risk Assessment: Conduct regular risk assessments to identify vulnerabilities and prioritize remediation efforts.
PurpleOps and Vulnerability Management
PurpleOps specializes in providing comprehensive cybersecurity solutions, including vulnerability management and supply-chain risk monitoring. Our services can help organizations proactively identify and address vulnerabilities like CVE-2025-24893, reducing the risk of exploitation. By utilizing a real-time ransomware intelligence feed, PurpleOps helps clients stay ahead of emerging threats and implement necessary mitigations. Our dark web monitoring service can also help identify potential threats and leaked credentials that could be used to exploit vulnerabilities.
In the context of this specific threat, PurpleOps can assist organizations in:
- Identifying vulnerable XWiki instances within their environment.
- Prioritizing remediation efforts based on the severity of the vulnerability and the potential impact on the organization.
- Monitoring for exploitation attempts and providing incident response support.
- Providing underground forum intelligence to understand the tactics and techniques used by threat actors exploiting this vulnerability.
PurpleOps also offers brand leak alerting, which can notify organizations if sensitive information related to the XWiki vulnerability is being discussed or traded on the dark web.
Additional Security Measures
To enhance security posture, organizations should consider implementing the following measures:
- Network Segmentation: Segment the network to limit the potential impact of a successful attack.
- Access Controls: Enforce strict access controls to restrict unauthorized access to sensitive systems and data.
- Web Application Firewall (WAF): Deploy a WAF to protect against web-based attacks, including those targeting the XWiki vulnerability.
- Telegram threat monitoring: Use tools and services that monitor Telegram channels and other social media platforms for discussions of exploits and vulnerabilities.
- Live ransomware API: Integrate a live ransomware API into security systems to identify and block ransomware attacks.
By taking a proactive approach to security and implementing these measures, organizations can significantly reduce their risk of falling victim to attacks exploiting vulnerabilities like CVE-2025-24893.
Contact PurpleOps today to learn more about our vulnerability management services and how we can help you protect your organization from emerging threats. Visit our PurpleOps Solutions for more information on our services such as, and red team operations.
FAQ
Q: What is CVE-2025-24893?
A: CVE-2025-24893 is a critical vulnerability in unpatched XWiki instances that allows for arbitrary code execution.
Q: Which XWiki versions are affected?
A: XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1 are affected.
Q: How can I protect my XWiki server?
A: Update your XWiki instance to the latest version and implement intrusion detection systems.
Q: What is the RondoDox botnet?
A: The RondoDox botnet is a network of compromised devices used to conduct DDoS attacks.