RondoDox Botnet Expands to Enterprise: Critical XWiki Flaw Now Under Active Attack
A dangerous, multi-purpose botnet known as RondoDox has significantly escalated its operations by adding a critical, unauthenticated remote code execution vulnerability in the XWiki enterprise platform to its arsenal. Security researchers report a major spike in exploitation attempts, signaling a strategic shift for an attacker that previously focused on IoT and networking devices.
The campaign, first observed integrating the XWiki exploit on November 3, 2025, targets CVE-2025-24893. This vulnerability is so severe it allows attackers to take complete control of a server without any authentication, and it was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on October 30.
The Technical Breakdown: CVE-2025-24893
At the heart of this attack is a critical (9.8 CVSS) template injection vulnerability. The flaw exists within XWiki's SolrSearch macro, a component used for full-text search.
An attacker can exploit this flaw by sending a single, specially crafted GET request to the search endpoint. Because the application fails to properly sanitize user input, the attacker can inject and execute arbitrary Groovy code. This means an unauthenticated user on the internet can run any command on the underlying server with the permissions of the XWiki application, effectively granting them a full compromise.
Exploitation is trivial and is being actively used to download and run malicious scripts, establish reverse shells, or install cryptocurrency miners.
A New Target for the RondoDox "Shotgun"
The RondoDox botnet first gained notoriety in mid-2025 for its "exploit shotgun" approach. Its operators traditionally targeted a massive list of over 50 different vulnerabilities, primarily low-hanging fruit like command injection flaws in routers, DVRs, NVRs, and other internet-connected IoT devices.
This new attack on XWiki marks a significant and worrying evolution in its tactics. By moving from consumer and SOHO devices to enterprise-grade software, RondoDox is expanding its victim pool to include more powerful, high-bandwidth servers. These servers are ideal for the botnet's primary purpose: launching large-scale Distributed Denial-of-Service (DDoS) attacks using HTTP, UDP, and TCP floods.
Researchers at VulnCheck, who have been monitoring the campaign on their "canary" honeypot systems, were able to easily attribute the attacks. The RondoDox campaign has a distinct signature, including a specific User-Agent and a payload naming convention that typically downloads a script named rondo.sh.
Not the Only Attacker
While RondoDox is the most prominent botnet to adopt this exploit, it is not alone. The spike in scanning activity, which peaked on November 7 and 11, is attributed to multiple, independent threat actors. Researchers have observed other campaigns using the same vulnerability to:
- Deploy Cryptominers: One of the first observed campaigns, originating from an attacker in Vietnam, used the flaw to install XMRig coinminers.
- Establish Footholds: Other attackers are using the exploit to establish persistent reverse shells, giving them long-term "hands-on-keyboard" access to the compromised servers for future, deeper attacks.
Immediate Mitigation and Detection
The patch for CVE-2025-24893 was released by XWiki in February 2025. Any organization running an XWiki server must upgrade immediately.
- Patching: Administrators must upgrade to version 15.10.11, 16.4.1, 16.5.0RC1, or any newer version.
- Detection: Security teams should immediately begin monitoring their web server and application logs. Look for any suspicious requests to the
/bin/get/Main/SolrSearchendpoint. Any log entry for this URL that contains Groovy code (e.g.,java.lang.Runtime) in its search parameters is a definitive indicator of an exploitation attempt. - Defense: A properly configured Web Application Firewall (WAF) can be used to block requests that contain malicious signatures in the query parameters, providing a layer of defense for systems that cannot be patched immediately.
