来源

关联漏洞

描述

CVE-2025-24893

介绍

# 🔐 CVE-2025-24893 — XWiki Critical RCE

<img width="1046" height="586" alt="cve-2025" src="https://github.com/user-attachments/assets/14742e6c-0cd8-4c8a-8b1d-290e2c3fe46f" />

**Status:** 🚨 *Actively Exploited in the Wild*
**Type:** 🧨 Unauthenticated Remote Code Execution
**Product:** 🧩 XWiki Platform
**Risk:** 🔥 **Critical**

---

# 📝 1. Overview

* Any **guest (unauthenticated)** user can trigger unsafe Groovy evaluation inside the **SolrSearch** macro.
* This leads to **server-side code execution**, impacting the **entire platform**.
* Attackers exploit this by crafting malicious search requests that abuse template rendering.
* Used in real-world attacks to deploy malware such as **cryptominers**.

---

# 🧩 2. Technical Summary

## 🛣️ Vulnerable Component

```
SolrSearch macro → RSS rendering → unsafe evaluation of user-controlled text
```


## 🛡️ How to use it safely:

```
# 1. Detection only
sudo python3 CVE-2025-24893.py http://your-lab-xwiki:8080

# 2. One-liner
sudo python3 CVE-2025-24893.py http://target:8080 whoami

# 3. Interactive
sudo python3 CVE-2025-24893.py http://target:8080
```

---

## ⚙️ Root Cause

* ❌ Improper sanitization of user input
* ❌ Groovy code dynamically evaluated
* Leads to **CWE-94** + **CWE-95** (code generation / eval injection)

---

# 🧭 3. Affected & Fixed Versions

## ❌ Affected Versions

| 📦 XWiki Version Line | ⛔ Vulnerable Range        |
| --------------------- | ------------------------- |
| 5.x → 15.x            | 5.3-milestone2 → 15.10.10 |
| 16.x                  | 16.0.0-RC1 → 16.4.0       |

## ✅ Fixed Versions

| 🎯 Safe Version | Notes             |
| --------------- | ----------------- |
| 15.10.11        | LTS fixed version |
| 16.4.1          | Stable branch fix |
| 16.5.0-RC1      | DEV branch fix    |

---

# 🎯 4. Severity — CVSS Breakdown

| Metric              | Value              | Emoji |
| ------------------- | ------------------ | ----- |
| **Score**           | **9.8 (Critical)** | 🔥    |
| Attack Vector       | Network            | 🌐    |
| Attack Complexity   | Low                | 🎯    |
| Privileges Required | None               | 🚫🔑  |
| User Interaction    | None               | 🙅    |
| Confidentiality     | High               | 🔓    |
| Integrity           | High               | ✏️    |
| Availability        | High               | ❗     |

---

# 🧨 5. Exploitation (High-Level Only)

⚠️ No harmful code — just conceptual description.

### 📌 How attackers abuse it

1. Send a crafted request to the **SolrSearch** macro
2. User-controlled text is processed in an unsafe template
3. Groovy expression inside text gets executed
4. Server runs attacker-controlled instructions
5. Attacker drops malware → miners, botnet clients, scripts

### 🛑 What has been seen in the wild

* 🌐 Global scanning for vulnerable XWiki servers
* 🤖 Malware deployment (e.g., cryptominers)
* ⛓️ Multi-stage payload delivery
* 📡 Command execution via template engine

---

# 🛰️ 6. Indicators of Compromise (IOCs)

## 🔍 Suspicious Requests

* Strange parameters inside:

  * `media=rss`
  * Unusual template directives
  * Unexpected macro structures
* High volume of hits to:
  `/xwiki/bin/get/Main/SolrSearch`

## 🧯 System Behavior

| Symptom                              | Meaning                        |
| ------------------------------------ | ------------------------------ |
| 📈 CPU usage spikes                  | Mining activity                |
| 📁 New binaries in `/tmp`            | Payload staging                |
| 🧪 Unknown processes                 | Lateral movement / persistence |
| 🌐 Outbound traffic to strange hosts | Botnet or miner callouts       |

---

# 🛡️ 7. Mitigation Steps

## 🟢 1. Upgrade Immediately

Apply one of:

* **15.10.11**
* **16.4.1**
* **16.5.0-RC1**

## 🟠 2. Temporary Workarounds (Safe Descriptions)

* Restrict anonymous access
* Disable/limit SolrSearch macro if possible
* Apply vendor-provided template hardening
* Add WAF rules blocking invalid template directives

## 🔵 3. Hardening

* Run XWiki under limited OS permissions
* Limit exposure (avoid direct internet access)
* Enable audit logging
* Monitor system for IOCs above

## 🔴 4. After Patching

* Conduct forensic checks:

  * processes 👀
  * crontabs ⏱️
  * `/tmp/` binaries 🗂️
  * outbound connections 🌐

---

# 📚 8. Structured Schemas & Tables

## 📑 Vulnerability Schema

| Field               | Value                  |
| ------------------- | ---------------------- |
| ID                  | CVE-2025-24893         |
| Type                | RCE                    |
| Vector              | Network                |
| Privileges Required | None                   |
| Affected Component  | SolrSearch macro       |
| CWE                 | 94 & 95                |
| Exploitation        | Active                 |
| Impact              | Full system compromise |

---

# 🧷 9. Short Summary (Aesthetic)

⚠️ **CVE-2025-24893** is a critical RCE in XWiki’s SolrSearch macro.
🧨 Attackers can run code without authentication.
🔥 Actively exploited in real-world attacks.
🛡️ Patch immediately to 15.10.11, 16.4.1, or newer.

---

### ⚠️ Disclaimer: 

This information is for defensive and educational purposes only.

文件快照

 [4.0K]  /data/pocs/203160906dd77cb2355a4de8d5e1854b0c69c78a
├── [4.5K]  CVE-2025-24893.py
└── [5.3K]  README.md

1 directory, 2 files

备注