XWiki Remote Code Execution Flaw Actively Weaponized for Coinmining

A critical security vulnerability in XWiki collaboration software is being actively exploited by threat actors to deploy cryptocurrency mining malware on vulnerable systems.

The flaw, tracked as CVE-2025-24893, represents a serious threat to organizations running unpatched XWiki installations.

Cybersecurity researchers at VulnCheck have captured concrete evidence of active exploitation through their canary network.

The attacks originate from Vietnam-based threat actors who employ a sophisticated two-stage attack methodology.

The initial exploitation occurs through XWiki’s SolrSearch endpoint, where attackers inject malicious code via a template injection vulnerability that requires no authentication.

The attack begins when hackers send a crafted request to the vulnerable endpoint, using URL-encoded parameters to execute remote commands.

The first stage downloads a small bash script from a command-and-control server located at IP address 193.32.208.24, which hosts malicious ...