Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24893 PoC — Remote code execution as guest via SolrSearchMacros request in xwiki

Source
https://github.com/CMassa/CVE-2025-24893
Associated Vulnerability
Title:Remote code execution as guest via SolrSearchMacros request in xwiki (CVE-2025-24893)
Description:XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Description
PoC exploit for XWiki Remote Code Execution Vulnerability (CVE-2025-24893)
Readme
# CVE-2025-24893 - XWiki Unauthenticated Remote Code Execution

PoC exploit for [XWiki](https://www.xwiki.org/xwiki/bin/view/Main/WebHome) Unauthenticated Remote Code Execution Vulnerability (CVE-2025-24893). This PoC allows to execute arbitrary commands through Groovy code on SolrSearch Macro.

## Details

```text
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS Score: 92.01% (Very high likelihood of exploitation)
Affected Versions: All versions prior to 15.10.11, 16.4.1, and 16.5.0RC1
Patched Versions: 15.10.11, 16.4.1, 16.5.0RC1
```

## Usage

```bash
usage: CVE-2025-24893 [-h] [-t TARGET] [-c COMMAND] [-v]

Unauthenticated Remote Code Execution (RCE) on XWiki

options:
  -h, --help            show this help message and exit
  -t, --target TARGET   Target XWiki URL
  -c, --command COMMAND Command to execute
  -v, --verify          Verify if target XWiki is vulnerable
```

## Example

***Verification***

![verification](image.png)

***Basic command exploitation***

![exploitation](image-1.png)

***Remote shell exploitation***

![remote_shell](image-2.png)

## References

[https://www.offsec.com/blog/cve-2025-24893/]
[https://nvd.nist.gov/vuln/detail/CVE-2025-24893]
[https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2025-24893]
File Snapshot

 [4.0K]  /data/pocs/f7800257dda9eb3f82e8c1d729664374ed75f9be
├── [3.4K]  CVE-2025-24893.py
├── [ 18K]  image-1.png
├── [ 18K]  image-2.png
├── [ 19K]  image.png
└── [1.3K]  README.md

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →