The RondoDox botnet is aggressively expanding its reach by exploiting a critical vulnerability in XWiki servers that have not been patched. This flaw, CVE-2025-24893, allows for arbitrary remote code execution, enabling attackers to compromise servers and integrate them into the botnet for malicious activities.

Key Takeaways

• The RondoDox botnet is actively exploiting CVE-2025-24893, a critical RCE vulnerability in XWiki.

• The vulnerability allows unauthenticated users to execute arbitrary code.

• Patches were released in February 2025, but many servers remain unpatched.

• Exploitation surged in late October and early November 2025, with RondoDox being a prominent actor.

• Other threat actors are using the flaw to deploy cryptocurrency miners and establish reverse shells.

Exploitation of CVE-2025-24893

The vulnerability, identified as CVE-2025-24893, carries a CVSS score of 9.8 and resides in XWiki's SolrSearch feature. It allows any guest user to perform arbitrary remote code execution through a specially crafted request to the "/bin/get/Main/SolrSearch" endpoint. This flaw was patched by XWiki maintainers in versions 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. Despite the availability of patches, a significant number of XWiki instances remain unpatched, creating a fertile ground for exploitation.

RondoDox's Aggressive Expansion

While initial exploitation attempts were observed as early as March 2025, a significant surge in activity began in late October. The RondoDox botnet emerged as a major threat actor, launching its first exploits against the vulnerability on November 3, 2025. RondoDox is known for its ability to rope susceptible devices into its network to conduct distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The botnet's activity is identifiable through its specific HTTP User-Agent signatures and payload naming conventions.

Broader Threat Landscape

Beyond RondoDox, other threat actors are also weaponizing CVE-2025-24893. Researchers have observed campaigns deploying cryptocurrency miners, which utilize the victim's CPU resources for the attacker's profit, significantly impacting server performance. Additionally, attempts to establish reverse shells for persistent access and general probing activities using automated tools like Nuclei have been documented. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply mitigations by November 20.

The Importance of Patch Management

The rapid adoption of CVE-2025-24893 by multiple threat actors underscores the critical need for robust patch management practices. Security experts emphasize that by the time a vulnerability is added to official catalogs, attackers are often already days ahead. Early threat detection and prompt patching remain the most effective defenses against such widespread exploitation campaigns.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet, The Hacker News.

• RondoDox expands botnet by exploiting XWiki RCE bug left unpatched since February 2025, Security Affairs.

• Hackers Weaponize XWiki Flaw to Build and Rent Out Botnet Networks, GBHackers News.

• RondoDox Botnet Exploits Unpatched XWiki Servers in 2025 Surge, PCQuest.