A critical security vulnerability in XWiki collaboration software is being actively exploited by threat actors to deploy cryptocurrency mining malware on vulnerable systems.
The flaw, tracked as CVE-2025-24893, represents a serious threat to organizations running unpatched XWiki installations.
Cybersecurity researchers at VulnCheck have captured concrete evidence of active exploitation through their canary network.
| CVE Details | Information |
| CVE ID | CVE-2025-24893 |
| Vulnerability Type | Unauthenticated Remote Template Injection |
| Affected Product | XWiki |
| Severity | Critical |
The attacks originate from Vietnam-based threat actors who employ a sophisticated two-stage attack methodology.
The initial exploitation occurs through XWiki’s SolrSearch endpoint, where attackers inject malicious code via a template injection vulnerability that requires no authentication.
The attack begins when hackers send a crafted request to the vulnerable endpoint, using URL-encoded parameters to execute remote commands.
The first…
