Rondodox Botnet Malware Now Hacks Servers Using Xwiki Flaw 2025
The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893.
On October 30, the U.S. Cybersecurity and Information Security Agency (CISA) marked the flaw as actively exploited.
Now, a report from vulnerability intelligence company VulnCheck notes that CVE-2025-24893 is being leveraged in attacks by multiple threat actors, including botnet operators like RondoDox and cryptocurrency miners.
RondoDox is a large-scale botnet malware first documented by Fortinet in July 2025 as an emerging threat. In early October, Trend Micro warned about RondoDox’s exponential growth, with recent variants targeting at least 30 devices via 56 known vulnerabilities, some of them disclosed at Pwn2Own hacking competitions.
Starting November 3, VulnCheck observed RondoDox exploiting CVE-2025-24893 through a specially crafted HTTP GET request that injected base64-encoded Groovy code through the XWiki SolrSearch endpoint, causing the server to download and execute a remote shell payload.
The downloaded script (rondo.
The researchers observed additional attacks involving cryptocurrency miner deployments on November 7, and also attempts to establish a bash reverse shell occurred on October 31 and November 11.
VulnCheck has also recorded widespread scanning using Nuclei, sending payloads that attempt to execute cat /etc/passwd via Groovy injection in the XWiki SolrSearch endpoint, as well as OAST-based probing.
The XWiki Platform is a Java-based, open-source enterprise wiki platform used primarily for self-hosted internal knowledge management solutions.
CVE-2025-24893 impacts versions before 15.10.11 and 16.4.1, which are the upgrade targets for administrators. Given the active exploitation status for this flaw, immediate patching is advised.
