CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.

CVE-2025-24893 tool

# CVE-2025-24893 XWiki RCE 취약점 분석

## 환경 구축

### 1. XWiki 15.10.10 환경 실행
```bash
docker-compose up -d
```

### 2. XWiki 접속
- URL: http://localhost:8080
- 초기 설정을 완료한 후 테스트 진행
- 초기 페이지 접속 후 관리자 계정 생생
- xwiki 기본 extension 설치
- 사용자 script 권한 부여여

## 취약점 정보
- **CVE ID**: CVE-2025-24893
- **제품**: XWiki Platform
- **버전**: 15.10.10
- **취약점 유형**: Remote Code Execution (RCE)
- **CVSS**: TBD

## PoC 코드
PoC는 SolrSearch 기능의 템플릿 인젝션을 통해 RCE를 수행합니다.

## 분석 환경
- OS: Windows 10
- Docker: 최신 버전
- XWiki: 15.10.10

 [4.0K]  /data/pocs/3d5e08b9edf4447014999c46229bc8832a413123
├── [ 663]  docker-compose.yml
├── [ 732]  README.md
├── [6.9K]  xwiki_exploit.log
└── [ 14K]  xwiki_exploit_module.py

1 directory, 4 files