CVE-2025-24893 is a critical vulnerability in the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications. The flaw is categorized under CWE-95, indicating improper neutralization of directives in dynamically evaluated code, commonly known as Eval Injection. The vulnerability exists in the SolrSearch component, which processes search queries and returns results. Specifically, the SolrSearch endpoint improperly handles user-supplied input in the 'text' parameter, allowing an attacker to inject Groovy code that is dynamically evaluated without proper sanitization or validation. This enables an unauthenticated attacker to perform arbitrary remote code execution (RCE) on the server hosting the XWiki instance. The exploitation method involves crafting a specially formatted request to the SolrSearch URL with embedded Groovy code, which the server executes, potentially allowing full control over the system. The vulnerability affects all XWiki Platform versions from 5.3-milestone-2 up to but not including 15.10.11, and from 16.0.0-rc-1 up to but not including 16.4.1. The vendor has released patches in versions 15.10.11, 16.4.1, and 16.5.0RC1 to address this issue. For users unable to upgrade immediately, a temporary mitigation involves editing the SolrSearchMacros.xml file to change the output content type to 'application/xml' instead of outputting raw feed content, thereby preventing code execution. The CVSS v3.1 base score is 9.8, reflecting the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation without authentication or user interaction. Although no active exploits have been reported in the wild, the vulnerability poses a significant risk to any exposed XWiki installations, especially those accessible over the internet.

The impact of CVE-2025-24893 on European organizations can be severe due to the critical nature of the vulnerability. XWiki is used by various enterprises, educational institutions, and government agencies across Europe for collaborative documentation and knowledge management. Successful exploitation allows attackers to execute arbitrary code remotely without authentication, leading to full system compromise. This can result in unauthorized data access, data manipulation, service disruption, and potential lateral movement within networks. Confidential information stored in XWiki instances could be exfiltrated, altered, or destroyed, impacting data confidentiality and integrity. Availability of the platform can be disrupted by attackers deploying ransomware or deleting critical data. Given the widespread use of XWiki in sectors such as public administration, research, and private enterprises, this vulnerability could facilitate espionage, sabotage, or data breaches. The ease of exploitation increases the likelihood of automated scanning and attacks, especially against publicly accessible XWiki servers. European organizations with internet-facing XWiki deployments are at heightened risk, potentially affecting compliance with GDPR and other data protection regulations if sensitive data is compromised.

To mitigate CVE-2025-24893, European organizations should prioritize upgrading affected XWiki Platform instances to versions 15.10.11, 16.4.1, or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, administrators should apply the temporary workaround by editing the 'Main.SolrSearchMacros' in the 'SolrSearchMacros.xml' file at line 955. This involves modifying the 'rawResponse' macro to set the content type to 'application/xml' instead of outputting the raw feed content, which prevents the execution of injected Groovy code. Additionally, organizations should restrict access to the SolrSearch endpoint by implementing network-level controls such as IP whitelisting, VPN access, or web application firewalls (WAFs) with custom rules to detect and block suspicious payloads containing Groovy code or unusual patterns. Continuous monitoring of XWiki logs for anomalous requests to the SolrSearch endpoint is recommended to detect potential exploitation attempts. Employing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions can help identify and mitigate exploitation in real-time. Finally, organizations should conduct regular security assessments and penetration testing focused on XWiki deployments to ensure no residual vulnerabilities remain.