Have you ever thought about how a simple bug on your server can allow hackers take control of everything? The same thinking moment occurred to me when I read that the RondoDox botnet, which is obvious, is utilizing a major XWiki security flaw. I have been a server operator for a number of years, and this is the kind of flaw that will force you to fix the problems immediately.
Here is how they do it:
Here’s why you should stop putting this off:
What Is The XWiki Flaw and How Do Hackers Use It?
The bug is a major security bug called CVE-2025-24893, and it allows attackers to run code on your server without logging in .Here is how they do it:
- They scan open XWiki servers on the Internet.
- They issue a GET request to /bin/get/Main/SolrSearch.
- The GET request contains base64 Groovy code to execute a shell script.
- The script then downloads the RondoDox malware.
- Then your server becomes part of a botnet to mine cryptocoins, launch DDoS attacks, or spread to additional machines.
Why This Vulnerability Is Severe
Some bugs can often be inadequately rated, but this one quite literally has a CVSS score of 9.8. So, this is about as serious as it gets!Here’s why you should stop putting this off:
- Hackers don’t need a password to exploit this bug.
- Public exploit code is now available.
- Attackers, including the RondoDox botnet, have already targeted this bug.
What To Do Next
Here’s an easy checklist for you to follow:- Verify your version of XWiki. You need a version of either 15.10.11 or 16.4.1 or later.
- Update as soon as possible - delay no further!
- Monitor your logs for strange requests hitting /bin/get/Main/SolrSearch.
- Watch for any unknown running or crypto mining tools, and remove from your systems.
- Block known bad IPs and domains associated with the RondoDox botnet in your firewall.
