Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/ibadovulfat/CVE-2025-24893_HackTheBox-Editor-Writeup
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
A critical remote code execution (RCE) vulnerability (CVE‑2025‑24893) exists in the XWiki Platform, specifically in the SolrSearch RSS feed endpoint.
Readme
# CVE-2025-24893 – XWiki Remote Code Execution (RCE)

## Overview
**CVE-2025-24893** is a **critical unauthenticated Remote Code Execution (RCE)** vulnerability in **XWiki**, a widely used open-source enterprise wiki platform.  
The flaw exists in the `SolrSearch` macro, which improperly evaluates Groovy expressions embedded in search queries.  

This vulnerability allows **remote, unauthenticated attackers** to execute arbitrary Groovy code on the server, potentially gaining full control of the affected system.

---

## Vulnerability Details

- **CVE ID:** CVE-2025-24893  
- **Severity:** Critical  
- **CVSS v3.1 Score:** 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)  
- **EPSS Score:** 92.01% (Very high likelihood of exploitation)  
- **Published:** February 20, 2025  

---

## Affected Versions
- All versions **prior to**:
  - `15.10.11`
  - `16.4.1`
  - `16.5.0RC1`

## Patched Versions
- `15.10.11`  
- `16.4.1`  
- `16.5.0RC1`

## 👨‍💻 About Me

I'm Ulfat Ibadov, a penetration tester and cybersecurity mentor currently working with **EC-Council**. My main focus is on offensive security, including red teaming, vulnerability research, and real-world exploitation techniques.

I’ve completed multiple certifications, including:
- Certified Ethical Hacker (CEH & CEH Practical)
- Web Application Hacking and Security (W|AHS)
- Certified Cybersecurity Technician (C|CT)
- Certified Penetration Testing Specialist (CPTS – HTB Academy)
- - Certified Penetration Testing Specialist (**BBH – HTB Academy**)

I’m also an active bug bounty hunter and top-ranked participant on platforms like **TryHackMe** and **Hack The Box**, where I currently rank in the top 1%.

I'm passionate about helping others learn ethical hacking through hands-on labs and mentoring.

## 📎 Connect with Me 
- [LinkedIn](https://www.linkedin.com/in/ibadovulfat/)
- [Portfolio](https://about.surf)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →