CISA Warns Of XWiki Injection Flaw Enabling Remote Code Execution

The Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2025-24893 to its Known Exploited Vulnerabilities catalog, drawing urgent attention to a critical eval injection flaw affecting XWiki Platform.

This vulnerability permits any guest user to execute arbitrary remote code without requiring authentication, posing an acute security risk to organizations deploying this widely used open-source wiki platform across their infrastructure.

Critical Vulnerability Analysis

The vulnerability stems from improper handling of eval functions within the XWiki Platform’s SolrSearch component, classified under CWE-95 for the improper neutralization of directives in dynamically evaluated code.

Unauthenticated attackers can craft specially engineered requests to inject malicious code, bypassing established security controls and gaining complete command execution capabilities on affected systems.

What distinguishes this vulnerability as particularly…

Facebook
Twitter
Pinterest
LinkedIn
Digg
Tumblr
Reddit
Buffer
Blogger
Newsvine
HackerNews
Flipboard
Share
LiveJournal
Yammer
Mix
Instapaper
Copy Link
Mastodon

Critical Vulnerability Analysis

Related Posts