RondoDox exploits an unpatched XWiki eval-injection vulnerability, CVE-2025-24893, to enroll servers into a botnet and to deliver cryptocurrency miners and reverse shells.
RondoDox exploits an eval injection bug that allows a guest user to achieve remote code execution by invoking the /bin/get/Main/SolrSearch endpoint. XWiki maintainers published fixes in versions 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025 (XWiki advisory).
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-24893 to its Known Exploited Vulnerabilities catalog and set a November 20, 2025 mitigation deadline for federal agencies (CISA KEV).
VulnCheck reported renewed exploitation activity in October and November 2025, noting spikes on November 7 and November 11 and describing attacks that chain an initial exploit into miner deployments and backdoors (VulnCheck report).
The RondoDox botnet was first observed exploiting the flaw on November 3, 2025. Operators have used compromised XWiki servers to run miners, establish reverse shells, and enroll machines into DDoS-capable botnets. The activity follows related botnet trends, including a recent shift by the Aisuru botnet toward proxy-based tactics.
Defenders should scan externally facing XWiki instances using the ProjectDiscovery Nuclei template for CVE-2025-24893 (Nuclei template). For related supply-chain and persistence techniques, see our coverage of SleepyDuck malware.
- Upgrade XWiki to 15.10.11, 16.4.1, 16.5.0RC1, or a later patched release (XWiki advisory).
- Block or closely monitor requests to
/bin/get/Main/SolrSearchfrom untrusted sources. - Scan public-facing XWiki instances with the ProjectDiscovery Nuclei template (Nuclei template).
- Search logs for indicators of compromise: unexpected cron jobs, unknown processes, reverse-shell callbacks, and significant outbound traffic consistent with DDoS.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow,” VulnCheck wrote in its report (coverage).
Sources: XWiki advisory; VulnCheck; CISA KEV; Nuclei template; site coverage referenced above.