CVE-2025-24893 is a critical security vulnerability in the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications. The vulnerability arises from improper neutralization of directives in dynamically evaluated code, classified as CWE-95 (Eval Injection). Specifically, the SolrSearch component improperly processes user-supplied input in the 'text' parameter of a request to the SolrSearch RSS feed endpoint. An unauthenticated attacker can craft a request embedding Groovy code within the search text parameter, which the platform evaluates and executes on the server side. This leads to arbitrary remote code execution (RCE) without requiring authentication or user interaction. The vulnerability affects all XWiki versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 up to but not including 16.4.1. The exploitation method involves sending a specially crafted HTTP GET request to the endpoint `/xwiki/bin/get/Main/SolrSearch` with parameters that inject Groovy code. If successful, the response RSS feed title contains output from the injected code, confirming execution. This flaw compromises the confidentiality, integrity, and availability of the entire XWiki installation, allowing attackers to execute arbitrary commands, potentially leading to full system compromise. The vulnerability has been patched in versions 15.10.11, 16.4.1, and 16.5.0RC1. For users unable to upgrade immediately, a temporary mitigation involves editing the `Main.SolrSearchMacros` in `SolrSearchMacros.xml` to change the macro output content type to `application/xml`, preventing raw execution of injected code. The CVSS v3.1 score of 9.8 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

For European organizations, the impact of CVE-2025-24893 is significant due to the widespread use of XWiki as an enterprise wiki and collaboration platform. Successful exploitation can lead to full remote code execution by unauthenticated attackers, resulting in complete compromise of the affected systems. This can cause data breaches exposing sensitive corporate information, unauthorized modification or deletion of critical content, disruption of business operations, and potential lateral movement within the network. Given that XWiki often stores documentation, project plans, and internal knowledge, the confidentiality and integrity of vital business information are at high risk. The availability of the platform can also be disrupted, affecting collaboration and productivity. Additionally, compromised XWiki servers could be leveraged as pivot points for further attacks against European organizations’ internal infrastructure. The critical severity and ease of exploitation make this vulnerability a high-priority threat for organizations relying on vulnerable XWiki versions.

1. Immediate upgrade to patched XWiki versions 15.10.11, 16.4.1, or later is the most effective mitigation. 2. For organizations unable to upgrade promptly, apply the temporary workaround by editing the `Main.SolrSearchMacros` in `SolrSearchMacros.xml` at line 955 to change the `rawResponse` macro to output content with the content type `application/xml` instead of raw feed content, preventing code execution. 3. Restrict access to the SolrSearch endpoint via network controls or web application firewalls (WAF) to limit exposure to untrusted users. 4. Monitor web server logs for suspicious requests containing Groovy code patterns or unusual parameters targeting the SolrSearch endpoint. 5. Implement strict input validation and output encoding in custom XWiki extensions or macros to prevent similar injection flaws. 6. Conduct regular security audits and vulnerability scans to detect outdated XWiki versions. 7. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block exploitation attempts. 8. Maintain robust backup and incident response plans to recover quickly in case of compromise.