CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform. The flaw resides in how the SolrSearch macro improperly handles Groovy expressions inside search queries. This allows unauthenticated attackers to execute arbitrary Groovy code remotely—without any authentication or prior access.

• CVE ID: CVE-2025-24893
• Severity: Critical
• CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• EPSS Score: 92.01% (Very high likelihood of exploitation)
• Published: February 20, 2025
• Affected Versions: All versions prior to 15.10.11, 16.4.1, and 16.5.0RC1
• Patched Versions: 15.10.11, 16.4.1, 16.5.0RC1

XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.

Attackers can inject Groovy expressions into the search query via a GET request and cause the system to evaluate arbitrary code within the context of the XWiki server process.

Example vulnerable endpoint:

GET /xwiki/bin/view/Main/SolrSearchMacros?search=... (with embedded Groovy code)

This results in direct RCE if the Groovy expression includes system-level commands, such as creating a file or launching a process.

• No authentication required (guest access suffices)
• Publicly exposed XWiki instance
• Affected version in use
• SolrSearch macro available

The root cause is unsafe evaluation of Groovy content inside the SolrSearch macro:

def query = "search=${params.search}"  // No sanitization
def result = evaluate(query)           // Dangerous use of evaluate()

1. Craft Groovy Code Injection
   Construct a payload that embeds system commands into the search parameter.
2. Send GET Request to Macro

curl "http://<target>/xwiki/bin/view/Main/SolrSearchMacros?search=groovy:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')"

3. Achieve RCE
The injected code is executed, and the attacker gains system-level access on the
XWiki server.

As of now, there’s no official Metasploit module for this CVE, but a working PoC exists on GitHub:
📎 https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py

• Upgrade Immediately:
  • 15.x users: Upgrade to 15.10.11
  • 16.4.x users: Upgrade to 16.4.1
  • Others: Use 16.5.0RC1 or newer
• Restrict Guest Access: Disable anonymous guest access to the application wherever possible.
• Use a Web Application Firewall (WAF): Implement filtering to block malicious query parameters.
• Monitor Logs: Look for unusual Groovy expressions in the SolrSearch endpoint access logs.

• GitHub Advisory GHSA-rr6p-3pfg-562j
• NVD Entry – CVE-2025-24893
• Ionix Blog Analysis
• PoC Exploit Script