XWiki, a widely used open-source enterprise wiki platform, disclosed a critical arbitrary remote code execution vulnerability (CVE-2025-24893) in its SolrSearch component in February 2025. This vulnerability allows attackers with minimal privileges, including guest users, to execute arbitrary code remotely by injecting Groovy scripts through specially crafted HTTP GET requests targeting the SolrSearch feature. The exploit leverages the ability to run Groovy code asynchronously within the search query parameters, enabling attackers to execute shell commands on the server. The publicly available proof-of-concept code facilitated reconnaissance scanning starting in July 2025, with active exploit attempts observed from November 3rd, 2025. The attack payload involves downloading and executing shell scripts hosted on external servers, although the original malicious script server is currently offline. The exploit requests are straightforward and do not require authentication or user interaction, increasing the attack surface. The vulnerability is particularly dangerous because it affects any user accessing the SolrSearch component, which is often exposed in enterprise wiki deployments. The attack also intriguingly references Chicago gang culture in the payload naming and associated metadata, but this appears unrelated to the technical exploitation. NIST has added this vulnerability to its Known Exploited Vulnerabilities list, underscoring its criticality and active exploitation status. Organizations running vulnerable XWiki versions without the February patch remain at high risk of compromise, including unauthorized data access, system takeover, and potential lateral movement within networks.

For European organizations, the exploitation of CVE-2025-24893 could lead to severe consequences including unauthorized remote code execution on critical collaboration platforms, resulting in data breaches, intellectual property theft, and disruption of business operations. Since XWiki is used as an alternative to Confluence and MediaWiki, organizations relying on it for internal documentation, knowledge management, and collaboration could see significant operational impact. Attackers gaining shell access could deploy ransomware, steal sensitive data, or establish persistent footholds within enterprise networks. The vulnerability’s ease of exploitation without authentication or user interaction increases the likelihood of widespread compromise. Additionally, organizations in sectors with strict data protection regulations such as GDPR could face legal and financial repercussions if breaches occur. The potential for lateral movement from compromised XWiki servers to other internal systems amplifies the risk. Given the active scanning and exploitation attempts, European entities must treat this vulnerability as an immediate threat to their cybersecurity posture.

1. Immediately apply the official XWiki patch released in February 2025 addressing CVE-2025-24893 to all affected instances. 2. Restrict access to the SolrSearch component by implementing network-level controls such as IP whitelisting or VPN-only access to reduce exposure to untrusted users. 3. Disable or limit the use of Groovy scripting within XWiki if not required, as this is the vector for code execution. 4. Monitor web server logs and application logs for suspicious GET requests containing Groovy script patterns or unusual query parameters targeting SolrSearch. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block exploit attempts targeting this vulnerability. 6. Conduct regular vulnerability scans and penetration tests focusing on XWiki deployments to ensure no residual exposure. 7. Educate administrators and users about the risks and signs of compromise related to this vulnerability. 8. Implement strict segmentation of wiki servers from critical infrastructure to limit lateral movement in case of compromise. 9. Maintain up-to-date backups of wiki data and system configurations to enable rapid recovery if an incident occurs. 10. Engage with threat intelligence sources to stay informed about emerging exploit variants or related attack campaigns.