RondoDox Botnet Exploits Critical XWiki Server Flaw
▼ Summary
– The RondoDox botnet malware is exploiting CVE-2025-24893, a critical remote code execution vulnerability in XWiki Platform.
– CISA confirmed active exploitation of this vulnerability on October 30, with multiple threat actors including cryptocurrency miners now leveraging it.
– RondoDox uses HTTP GET requests to inject Groovy code through XWiki’s SolrSearch endpoint, downloading scripts that retrieve the main malware payload.
– This vulnerability affects XWiki versions before 15.10.11 and 16.4.1, requiring immediate patching due to widespread active exploitation.
– Public indicators of compromise for RondoDox can block these attacks, as researchers identified the botnet through specific user-agents and payload servers.
A significant cybersecurity threat has emerged with the RondoDox botnet malware actively exploiting a critical remote code execution vulnerability in XWiki Platform, identified as CVE-2025-24893. The U.S. Cybersecurity and Information Security Agency officially flagged this flaw as under active attack on October 30. Recent analysis from the vulnerability intelligence firm VulnCheck confirms that multiple threat groups, including the RondoDox botnet operators and cryptocurrency miners, are now leveraging this security gap in their campaigns.
First documented by Fortinet in July 2025 as a growing danger, the RondoDox botnet has shown alarming expansion. By early October, security researchers at Trend Micro reported its exponential growth, noting that newer variants target over 30 different device types using 56 known vulnerabilities, some of which were originally demonstrated at Pwn2Own hacking contests.
Starting November 3, VulnCheck detected RondoDox exploiting CVE-2025-24893 through a carefully manipulated HTTP GET request. This attack injects base64-encoded Groovy code via the XWiki SolrSearch endpoint, forcing the server to retrieve and run a remote shell payload. The initial script downloaded, named rondo.
Beyond the botnet activity, researchers observed additional malicious actions. On November 7, attackers deployed cryptocurrency miners, while attempts to establish a bash reverse shell were recorded on October 31 and November 11. VulnCheck also reported widespread scanning using the Nuclei tool, where payloads attempted to execute commands like `cat /etc/passwd` through Groovy injection in the same XWiki endpoint, alongside OAST-based probing techniques.
XWiki Platform is a widely used, open-source enterprise wiki built in Java, often deployed for self-hosted internal knowledge management. The vulnerability impacts all versions prior to 15.10.11 and 16.4.1, making immediate patching essential for administrators given the active exploitation. Researchers emphasize that multiple attackers began leveraging the flaw just days after initial exploitation was detected.
The observed incidents match a specific user-agent and documented payload servers linked to RondoDox. This correlation means that publicly available indicators of compromise for the botnet can be used to block these exploitation attempts effectively.
(Source: Bleeping Computer)
