Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/Hex00-0x4/CVE-2025-24893-XWiki-RCE
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
This vulnerability could allow a malicious user to execute remote code by sending appropriately crafted requests to the default search engine SolrSearch
Readme
## 📜 **Description**

A **critical RCE vulnerability** exists in **XWiki** that allows **unauthenticated attackers** to execute arbitrary system commands via vulnerable API endpoints.  
Exploitation can result in:  

- **Full server takeover**  
- **Data theft or destruction**  
- **Pivoting into internal networks**  

---

## 💥 **Impact**

- **Complete compromise** of the affected XWiki instance and underlying OS.  
- **Loss of confidentiality, integrity, and availability**.  

---

## 🛠 **Fix / Mitigation**

- **Upgrade** to the latest patched version (****).  
- **Restrict** or disable vulnerable API endpoints.  
- Apply **WAF rules** to block malicious payloads.

## Exploitation:

## SHODAN DORK : ``` http.title:"XWiki" ```


<img width="1900" height="336" alt="Screenshot 2025-08-08 111156" src="https://github.com/user-attachments/assets/078abbf0-4012-4798-8c8f-5abcd9f7df3c" />

## Usage:

``` git clone https://github.com/Hex00-0x4/CVE-2025-24893-XWiki-RCE.git ```

```cd CVE-2025-24893-XWiki-RCE ```

```python3 CVE-2025-24893.py```


<img width="1477" height="742" alt="Screenshot 2025-08-08 111415" src="https://github.com/user-attachments/assets/b1e4d6d0-b1d7-4561-bbce-ce98c0e64ee0" />
File Snapshot

 [4.0K]  /data/pocs/a32b762d56d5ec03e1e2f7b066e12d8e7ff065d4
├── [3.3K]  CVE-2025-24893.py
├── [1.0K]  LICENSE
└── [1.2K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →