
Jun 5, 2025
CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform. The flaw resides in how the SolrSearch macro improperly handles Groovy expressions inside search queries. This allows unauthenticated attackers to execute arbitrary Groovy code remotely—without any authentication or prior access.
- CVE ID: CVE-2025-24893
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 92.01% (Very high likelihood of exploitation)
- Published: February 20, 2025
- Affected Versions: All versions prior to 15.10.11, 16.4.1, and 16.5.0RC1
- Patched Versions: 15.10.11, 16.4.1, 16.5.0RC1
XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.
Attackers can inject Groovy expressions into the search query via a GET request and cause the system to evaluate arbitrary code within the context of the XWiki server process.
Example vulnerable endpoint:
GET /xwiki/bin/view/Main/SolrSearchMacros?search=... (with embedded Groovy code)
This results in direct RCE if the Groovy expression includes system-level commands, such as creating a file or launching a process.
- No authentication required (guest access suffices)
- Publicly exposed XWiki instance
- Affected version in use
- SolrSearch macro available
The root cause is unsafe evaluation of Groovy content inside the SolrSearch macro:
def query = "search=${params.search}" // No sanitization
def result = evaluate(query) // Dangerous use of evaluate()
- Craft Groovy Code Injection
Construct a payload that embeds system commands into the search parameter. - Send GET Request to Macro
curl "http://<target>/xwiki/bin/view/Main/SolrSearchMacros?search=groovy:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')"
3. Achieve RCE
The injected code is executed, and the attacker gains system-level access on the
XWiki server.
As of now, there’s no official Metasploit module for this CVE, but a working PoC exists on GitHub:
📎 https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py
- Upgrade Immediately:
- 15.x users: Upgrade to 15.10.11
- 16.4.x users: Upgrade to 16.4.1
- Others: Use 16.5.0RC1 or newer
- Restrict Guest Access: Disable anonymous guest access to the application wherever possible.
- Use a Web Application Firewall (WAF): Implement filtering to block malicious query parameters.
- Monitor Logs: Look for unusual Groovy expressions in the SolrSearch endpoint access logs.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.
Jun 5, 2025
2 min read

Insights
OffSec’s Take on the Global Generative AI Adoption Index
Discover OffSec’s take on the latest Global Generative AI Adoption Index report released by AWS.
May 30, 2025
3 min read

Research & Tutorials
CVE-2025-0655 – Remote Code Execution in D-Tale via Unprotected Custom Filters
A critical remote code execution (RCE) vulnerability in the D-Tale data visualization tool was identified which allowed attackers to execute arbitrary system exams, abusing an exposed API endpoint.
May 29, 2025
2 min read