You are currently viewing RondoDox Botnet Expansion: Threat Actors Weaponize Critical XWiki Vulnerability

RondoDox Botnet Expansion: Threat Actors Weaponize Critical XWiki Vulnerability

  • Post author:
  • Reading time:4 mins read

The discovery of widespread exploitation of a critical XWiki vulnerability CVE-2025-24893 reveals a severe threat to organizations running unpatched instances. Active threat activity shows that attackers—most notably the RondoDox botnet—are abusing this flaw to execute arbitrary code, compromise servers, and recruit them into large-scale botnet and cryptomining operations across the internet.

Background on Botnets and Malware Campaigns

RondoDox Botnet

First identified in late 2023 and rapidly evolving through 2025, RondoDox is a distributed botnet focused on exploiting internet-exposed Linux servers, web applications, and SOHO networking equipment. Operators routinely incorporate freshly disclosed vulnerabilities, enabling near-immediate exploitation of new CVEs to scale the botnet.

RondoDox activity has been observed across North America, Europe, India, Brazil, Vietnam, Japan, and the Middle East, with infections concentrated in hosting providers, small office networks, vulnerable CMS platforms, and unmaintained web application servers.

Core Capabilities

  • Multi-Vector DDoS Attacks: Supports UDP floods, TCP SYN/ACK floods, HTTP GET/POST floods, and hybrid volumetric/application-layer attacks.
  • Modular Payload Loading: Ability to deploy miners, reverse shells, or proxy components.
  • Wide Architecture Support: Includes builds for x86_64, ARM, MIPS, and PowerPC.
  • Rapid Exploit Integration: Automated scanners ingest new vulnerabilities into the botnet’s expansion workflow.
  • Stealth & Resilience: Uses rotating C2 nodes, DGAs, and ephemeral infrastructure to avoid tracking.

Vulnerability Details

Critical Remote Code Execution Vulnerability in XWiki

A critical eval injection flaw in XWiki is enabling adversaries to perform arbitrary remote code execution on unpatched servers. The vulnerability affects public-facing XWiki deployments and allows even guest users to trigger malicious code execution via requests to the /bin/get/Main/SolrSearch endpoint.

The severity of this flaw (CVSS 9.8) makes any unpatched XWiki installation a high-value target for automated exploitation campaigns.

Tactics, Techniques, and Procedures (TTPs)

Attackers exploiting this XWiki vulnerability follow a pattern aligned with MITRE ATT&CK techniques:

  • TA0002 – Execution: Adversaries execute malicious code on the target system by abusing the remote code execution flaw.
  • T1203 – Exploitation for Client Execution: Malicious actors exploit vulnerable server-side applications to trigger unintended code execution

These tactics and techniques enable attackers to deploy botnet payloads, miners, or additional reconnaissance tooling with minimal friction.

Infection Method

Initial Access

  • Automated scanners identify unpatched XWiki servers exposed to the internet.
  • The botnet’s exploit engine probes the vulnerable endpoint for RCE capability.

Exploitation

  • Attackers abuse the eval injection flaw to run arbitrary system commands.
  • The server retrieves malicious binaries from attacker-controlled hosting nodes.

Payload Delivery

RondoDox typically deploys:

  • A lightweight loader
  • The main botnet binary (architecture-specific)
  • Optional modules for cryptomining or reverse shells

Payloads are commonly delivered via:

  • wget/curl downloads
  • DNS-based delivery methods
  • Short-lived cloud storage endpoints

Execution & Persistence

  • Execution often occurs in memory to delay detection.
  • Persistence may involve cron jobs, systemd service files, or watchdog processes.

Command-and-Control (C2)

RondoDox communicates with C2 servers using:

  • TCP, UDP, and HTTP channels
  • Rotating VPS-based servers
  • Domain Generation Algorithms (DGAs)
  • Occasional TOR-proxied outbound traffic

C2 channels support DDoS command issuance, updating modules, retrieving new exploits, and downloading additional payloads.

Impact

Botnet Expansion: Exploiting unpatched XWiki servers allows RondoDox to recruit new devices, strengthening DDoS capacity and expanding its relay infrastructure.

Stealth Monetization: Compromised systems are leveraged to deploy cryptocurrency miners, generating passive income while minimizing noticeable system impact.

Resource Hijacking: RondoDox consumes CPU, memory, and bandwidth, while blocking competing malware and concealing its operations from detection.

Visual Flow

Initial Access (internet scanning) -> Exploitation of XWiki RCE vulnerability -> Payload Delivery (bot client / loader / miner / shell) -> Execution & Persistence (watchdog, cron, systemd) -> Command & Control (HTTP, TCP, UDP, rotating infrastructure) -> Impact (DDoS, proxy relay, cryptomining, lateral scanning)

Mitigation & Recommendations

To protect systems from ongoing exploitation, organizations should immediately update to one of the following patched releases:

  • XWiki 15.10.11
  • XWiki 16.4.1
  • XWiki 16.5.0RC1

Additional recommendations:

  • Prioritize patching for all internet-exposed XWiki instances.
  • Monitor logs for suspicious requests targeting /bin/get/Main/SolrSearch.
  • Implement web application firewall (WAF) rules to block known exploit traffic.
  • Follow CISA guidance requiring federal systems to apply mitigations by November 20, 2025.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.