CVE-2025-24893

What is XWiki?

XWiki is an open-source enterprise wiki and knowledge management platform used by organizations to create wikis, intranets, project documentation, and collaborative knowledge bases. It uses Groovy as a server-side scripting language for page macros and extensions. Because wiki pages can contain dynamic Groovy code (executed server-side with configurable permissions), the boundary between content and code execution is a persistent security challenge in XWiki. XWiki is deployed by enterprises, universities, and government agencies as internal knowledge repositories.

Overview

CVE-2025-24893 is a critical eval injection vulnerability (CWE-95, CVSS 9.8) in XWiki Platform's SolrSearch functionality. An unauthenticated remote attacker can send a crafted HTTP request to the SolrSearch endpoint containing a Groovy expression. XWiki evaluates the expression with elevated permissions in the Groovy execution engine, achieving arbitrary remote code execution on the server. The vulnerability exists in any XWiki instance with SolrSearch enabled — which is the default. CISA added CVE-2025-24893 to the KEV catalog in October 2025, approximately 8 months after the patch, confirming exploitation of long-tail unpatched instances.

Affected Versions

Technical Details

The vulnerability (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code) is in XWiki's Solr-based full-text search implementation. When a search request is made to the SolrSearch endpoint, XWiki constructs a search query that may incorporate user-supplied input. This input is evaluated through XWiki's Velocity/Groovy rendering engine without adequate context isolation or permission checks. An attacker crafts a search request containing a malicious Groovy expression that executes within the privileged Groovy scripting context, achieving RCE as the XWiki application server user.

The attack requires no authentication — a guest user (unauthenticated) can trigger the evaluation. The CVSS Scope:Unchanged (S:U) reflects that the code execution is within the XWiki application process, though this process typically has broad filesystem and network access.

Discovery

Reported through XWiki's GitHub security advisory process; no individual external researcher is credited publicly. The vulnerability was discovered during security auditing of the SolrSearch functionality.

Exploitation Context

CISA added CVE-2025-24893 to the KEV catalog on 30 October 2025 — approximately 8 months after the February 2025 patch — confirming active exploitation of unpatched XWiki instances in the wild. The long gap between patch and KEV addition is consistent with the pattern seen in other open-source CMS/wiki products where update cadences vary widely across self-hosted deployments. No specific named threat actor has been publicly attributed.

Remediation

1. Upgrade XWiki to 15.10.9+ or 16.3.0+ immediately.
2. Verify the installed version: check XWiki Administration → XWiki Version or WEB-INF/version.properties.
3. Review server logs for anomalous requests to the SolrSearch endpoint, particularly requests with Groovy code patterns (${, <%, Java class references) in the query parameter.
4. Audit for webshells or OS-level persistence on the XWiki server if exploitation is suspected.
5. Restrict unauthenticated access to XWiki if the instance does not need to be publicly accessible — require authentication before allowing search functionality.