Blog

/

CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro

Research & Tutorials

Jun 5, 2025

CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro

An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.

OffSec Team OffSec Team

2 min read

Overview

CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform. The flaw resides in how the SolrSearch macro improperly handles Groovy expressions inside search queries. This allows unauthenticated attackers to execute arbitrary Groovy code remotely—without any authentication or prior access.

  • CVE ID: CVE-2025-24893
  • Severity: Critical
  • CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • EPSS Score: 92.01% (Very high likelihood of exploitation)
  • Published: February 20, 2025
  • Affected Versions: All versions prior to 15.10.11, 16.4.1, and 16.5.0RC1
  • Patched Versions: 15.10.11, 16.4.1, 16.5.0RC1

Technical Breakdown

XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.

Attackers can inject Groovy expressions into the search query via a GET request and cause the system to evaluate arbitrary code within the context of the XWiki server process.

Example vulnerable endpoint:

GET /xwiki/bin/view/Main/SolrSearchMacros?search=... (with embedded Groovy code)

This results in direct RCE if the Groovy expression includes system-level commands, such as creating a file or launching a process.

Conditions for Exploitation

  • No authentication required (guest access suffices)
  • Publicly exposed XWiki instance
  • Affected version in use
  • SolrSearch macro available

Vulnerable Code Context

The root cause is unsafe evaluation of Groovy content inside the SolrSearch macro:

def query = "search=${params.search}"  // No sanitization
def result = evaluate(query)           // Dangerous use of evaluate()

Exploitation Steps

  1. Craft Groovy Code Injection
    Construct a payload that embeds system commands into the search parameter.
  2. Send GET Request to Macro
curl "http://<target>/xwiki/bin/view/Main/SolrSearchMacros?search=groovy:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')"

3. Achieve RCE
The injected code is executed, and the attacker gains system-level access on the
XWiki server.

Exploitation with POC

As of now, there’s no official Metasploit module for this CVE, but a working PoC exists on GitHub:
📎 https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py

Mitigation

  • Upgrade Immediately:
    • 15.x users: Upgrade to 15.10.11
    • 16.4.x users: Upgrade to 16.4.1
    • Others: Use 16.5.0RC1 or newer
  • Restrict Guest Access: Disable anonymous guest access to the application wherever possible.
  • Use a Web Application Firewall (WAF): Implement filtering to block malicious query parameters.
  • Monitor Logs: Look for unusual Groovy expressions in the SolrSearch endpoint access logs.

References

Stay in the know: Become an OffSec Insider

Stay in the know: Become an OffSec Insider

Get the latest updates about resources, events & promotions from OffSec!

Latest from OffSec