Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/D3Ext/CVE-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
POC exploit for CVE-2025-24893
Readme
# CVE-2025-24893

```
# Exploit Title: XWiki 15.10.10 - Unauthenticated Remote Code Execution
# Date: 09/08/2025
# Exploit Author: D3Ext
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://github.com/xwiki/xwiki-platform
# Version: 15.10.10
# Tested on: Kali Linux 2025
# CVE: CVE-2025-24893
```

## Explanation

This repository contains a POC (Proof of Concept) of the CVE-2025-24893 vulnerability, which affects to XWiki 15.10.10 version. XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) enabling full-text search through the engine. The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input. Thus, unauthenticated attackers are able to execute arbitrary Groovy code remotely without authentication or prior access.

Vulnerable path:

`/xwiki/bin/view/Main/SolrSearchMacros?search=...`

## Usage

```
usage: CVE-2025-24893.py [-h] --url URL --command COMMAND

XWiki 15.10.10 - Unauthenticated Remote Code Execution (RCE)

options:
  -h, --help         show this help message and exit
  --url URL          URL of the web root
  --command COMMAND  command to execute
```

## Demo

<img src="demo.png">

## References

```
https://nvd.nist.gov/vuln/detail/CVE-2025-24893
https://www.offsec.com/blog/cve-2025-24893/
https://www.wiz.io/vulnerability-database/cve/cve-2025-24893
https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2025-24893
```

## License

This project is under [MIT](https://github.com/D3Ext/CVE-2024-25641/blob/main/LICENSE) license

Copyright © 2025, *D3Ext*
File Snapshot

 [4.0K]  /data/pocs/abb3d17c0cc23a239a71ee997ea29794dd7dc1cd
├── [2.0K]  CVE-2025-24893.py
├── [ 21K]  demo.png
├── [1.0K]  LICENSE
└── [1.6K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →