Exploit for Code Injection in Xwiki CVE-2025-24893

Name: Exploit for Code Injection in Xwiki CVE-2025-24893
Rating: 5 (120 reviews)
2025-06-05 | CVSS 9.8
## https://sploitus.com/exploit?id=AE81CE34-AE2D-520F-9D1B-C50C25E2C321
# XWiki CVE-2025-24893 RCE Exploit

A powerful Go-based exploit for CVE-2025-24893, targeting the critical Remote Code Execution vulnerability in XWiki Platform.

## 🚨 Vulnerability Details

- **CVE ID:** CVE-2025-24893
- **CVSS Score:** 9.8 (Critical)
- **Affected Versions:** XWiki up to 15.10.10
- **Impact:** Remote Code Execution as guest user
- **Vector:** SolrSearch endpoint exploitation

## 🛠️ Features

- **Multi-Protocol Support** - Automatic HTTP/HTTPS detection
- **XWiki Detection** - Smart target validation
- **Three Operation Modes:**
  - Quick Test (`/etc/passwd` dump)
  - Custom Command Execution
  - Interactive Shell Mode
- **Advanced Error Handling** - Retry mechanism with detailed feedback
- **Colorized Output** - Professional terminal interface
- **TLS Bypass** - Works with self-signed certificates

## 📋 Requirements

- Go 1.19 or higher
- Network connectivity to target
- Target running vulnerable XWiki version

## 🚀 Installation & Usage

### Build
```bash
git clone https://github.com/ibrahimsql/cve-2025-24893.git
cd xwiki-exploit
go build -o xwiki-exploit CVE-2025-24893.go
```

### Run
```bash
./xwiki-exploit
```

### Example Usage
```
[?] Enter target URL (without protocol): vulnerable-xwiki.com
[?] Select mode:
  1) Quick test (cat /etc/passwd)
  2) Custom command  
  3) Interactive shell
[?] Choice: 1
```

## 🎯 Exploit Modes

### 1. Quick Test
Performs rapid `/etc/passwd` extraction to verify RCE capability.

### 2. Custom Command
Execute single commands like:
- `whoami`
- `id`
- `uname -a`
- `ls -la /`

### 3. Interactive Shell
Persistent shell access for advanced operations:
```
┌─[xwiki-exploit]
└─$ whoami
root
┌─[xwiki-exploit] 
└─$ pwd
/opt/xwiki
```

## ⚖️ Legal Disclaimer

**FOR EDUCATIONAL AND ETHICAL HACKING PURPOSES ONLY**

This tool is designed for:
- ✅ Authorized penetration testing
- ✅ Security research on owned systems
- ✅ Vulnerability assessment with permission
- ✅ Educational cybersecurity training

**DO NOT USE FOR:**
- ❌ Unauthorized system access
- ❌ Malicious activities
- ❌ Systems you don't own or have permission to test

Users are solely responsible for compliance with applicable laws and regulations.

## Mitigation

- Update XWiki to version 15.10.11, 16.4.1, or 16.5.0RC1+
- Implement network segmentation
- Monitor SolrSearch endpoint access
- Apply input validation patches

## 📚 References

- [CVE-2025-24893 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
- [XWiki Security Advisory](https://github.com/advisories/GHSA-rr6p-3pfg-562j)
- [Original Research](https://www.exploit-db.com/exploits/52136)

## 👨‍💻 Author

**@ibrahimsql** 

---

⚠️ **Remember: With great power comes great responsibility. Use this tool ethically.**
```