CVE Alert: CVE-2025-24893 – xwiki – xwiki-platform
CVE-2025-24893
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
AI Summary Analysis
Risk verdict
Critical remote code execution on XWiki Platform via SolrSearchMacros; exploitation state is active and warrants urgent attention.
Why this matters
An internet-facing instance can be fully compromised with no authentication or user interaction required, enabling full disclosure, modification or destruction of data and potential full site take-down. Given automated exploitability, attackers can quickly weaponise this against exposed deployments, potentially scaling to broader network impact.
Most likely attack path
Remote attacker targets the SolrSearchMacros endpoint, sending crafted requests that trigger Groovy/Eval execution. With network access and no privileges required, the attacker gains code execution within the compromised process, threatening confidentiality, integrity and availability. Lateral movement would depend on the server’s privileges and any exposed services or data accessible from the host.
Who is most exposed
Public-facing XWiki Platforms and internal portals with SolrSearch enabled are at highest risk, particularly those running affected versions and deployed in internet-accessible or poorly segmented environments.
Detection ideas
- Unusual GET/POST to /xwiki/bin/get/Main/SolrSearch with rss-like parameters.
- Requests containing Groovy-related syntax or signs of dynamic code evaluation in query parameters.
- Feed output showing unexpected titles or content (e.g., “Hello from search text” patterns).
- Changes or access to SolrSearchMacros.xml, especially around line 955.
- Logs showing groovy or println patterns in request handling.
Mitigation and prioritisation
- Patch immediately to patched releases (15.10.11, 16.4.1, 16.5.0RC1).
- If patching isn’t possible, apply the workaround modifying SolrSearchMacros.xml to constrain output to approved content types (application/xml) and disable unsafe paths.
- Restrict network access to SolrSearch endpoints; implement WAF rules to block suspicious payloads.
- Perform inventory to identify exposed instances; schedule a change window for upgrades; verify backups and recovery procedures.
- Reassess prioritisation once KEV/EPSS indicators are confirmed; treat as high-risk given active exploitation indicators.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
