The Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2025-24893 to its Known Exploited Vulnerabilities catalog, drawing urgent attention to a critical eval injection flaw affecting XWiki Platform.
This vulnerability permits any guest user to execute arbitrary remote code without requiring authentication, posing an acute security risk to organizations deploying this widely used open-source wiki platform across their infrastructure.
Critical Vulnerability Analysis
The vulnerability stems from improper handling of eval functions within the XWiki Platform’s SolrSearch component, classified under CWE-95 for the improper neutralization of directives in dynamically evaluated code.
Unauthenticated attackers can craft specially engineered requests to inject malicious code, bypassing established security controls and gaining complete command execution capabilities on affected systems.
What distinguishes this vulnerability as particularly hazardous is its accessibility to guest users, individuals who typically obtain public access to wiki content without undergoing authentication protocols.
Organizations leveraging guest access for collaboration or information sharing create an exploitable trust model that attackers can weaponize through carefully constructed requests.
Once code execution is achieved, threat actors inherit the same privileges as the web server process, enabling them to exfiltrate sensitive organizational data, deploy malware payloads, or establish persistent network footholds for lateral movement attacks.
This escalation path represents a severe compromise of system integrity and data confidentiality.
CISA has established November 20, 2025, as the critical remediation deadline for organizations operating affected XWiki Platform instances.
The agency mandates immediate implementation of vendor-supplied security patches released by the XWiki development team and emphasizes that organizations managing cloud-based deployments must comply with requirements established in Binding Operational Directive (BOD) 22-01 for vulnerability management in cloud services.
For organizations facing operational or compatibility constraints preventing immediate patching, CISA advises discontinuing XWiki Platform usage entirely until comprehensive remediation becomes feasible, an unusually aggressive stance reflecting the vulnerability’s critical nature.
While CISA has not documented active exploitation within ransomware campaigns, the vulnerability’s severity and low exploitation barriers suggest threat actors will rapidly develop and deploy exploit code against unpatched systems.
Advanced adversaries routinely monitor CISA advisories for newly disclosed vulnerabilities to expand their attack surface and target organizations with delayed patching cycles.
Security teams should immediately inventory all XWiki Platform deployments spanning development, testing, and production environments and establish patch testing procedures before enterprise-wide rollout.
Implementing network segmentation to restrict lateral movement capabilities and contacting XWiki support for patch availability information represents an essential defensive strategy during this critical vulnerability window.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-24893 |
| Affected Product | XWiki Platform |
| Vulnerability Type | Eval Injection (CWE-95) |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication Required | None |
| Attack Complexity | Low |
| Affected Component | SolrSearch |
| Remediation Deadline | November 20, 2025 |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=This vulnerability permits any guest user to execute arbitrary remote code without requiring authentication, posing an acute security risk){kind=link}