Critical XWiki Vulnerability Exploited for Cryptocurrency Mining Attacks

Security researchers have confirmed that a critical vulnerability in the popular enterprise wiki platform XWiki is currently being exploited in the wild as part of sophisticated cryptocurrency mining operations. The flaw, tracked as CVE-2025-24893, allows unauthenticated remote code execution, enabling attackers to deploy malware without any prior access or credentials.

XWiki is a widely used open-source enterprise wiki software offering runtime services and collaboration features for organizations. The discovered vulnerability relates specifically to the SolrSearch macro component, which improperly handles Groovy expressions in search queries, allowing attackers to inject and execute arbitrary code remotely.

Details of the Vulnerability

The vulnerability, rated critical with a CVSS score of 9.8, poses a severe threat because it requires no authentication and can be leveraged remotely via internet-facing instances of XWiki. Attackers exploit this remote code execution flaw by sending specially crafted URL-encoded parameters to XWiki’s SolrSearch endpoint, resulting in the execution of arbitrary Groovy code on the target server.

Analysis of active exploitation campaigns, led by cybersecurity firm VulnCheck, uncovered a sophisticated two-stage attack mechanism used by threat actors believed to be based in Vietnam. Initially, a small downloader script is fetched from a malicious command-and-control server and saved on the compromised system. After a delay, the attackers trigger this downloader to deploy cryptocurrency mining malware designed to stealthily use the victim’s system resources to mine digital currencies.

Impact and Risks

The unauthorized execution of arbitrary code through this vulnerability means attackers can compromise the entire XWiki installation, extract sensitive data, escalate privileges, or use the server to conduct illegal activities such as cryptojacking. This puts organizations running unpatched XWiki versions at high risk of system takeover and prolonged operational disruption.

Versions Affected and Patching

All versions of XWiki before 15.10.11, 16.4.1, and 16.5.0RC1 are vulnerable. The XWiki development team has released security patches in these versions to mitigate this issue, and administrators are strongly advised to update their systems promptly to prevent exploitation.

Additional Vulnerabilities

Separate but related critical vulnerabilities have also been identified within XWiki, including CVE-2025-32974, which affects XWiki’s rights analysis system and can lead to script execution upon page editing by privileged users. Although this vulnerability requires some level of access, it further emphasizes the importance of comprehensive patching and securing wiki installations to prevent any malicious misuse.

Recommendations for Organizations

• Immediate Patch Application: Update XWiki instances to the latest patched versions released by the vendor.
• Network Exposure Review: Limit public exposure of XWiki installations, especially the SolrSearch endpoint, using firewalls or VPNs.
• Monitoring and Detection: Employ advanced threat detection tools to monitor for unusual inbound requests or indicators of compromise linked to cryptojacking activities.
• Incident Response Preparedness: Develop and rehearse incident response plans for rapid mitigation if exploitation is detected.

With the rising trend of threat actors weaponizing software vulnerabilities for cryptocurrency mining, organizations must remain vigilant and proactive in securing all their critical infrastructure, including collaboration platforms such as XWiki.

Security teams can track the ongoing developments and exploit patterns related to this vulnerability through cybersecurity news outlets and official advisories from XWiki and related security research groups.