You know what I love? When a critical remote code execution vulnerability with a CVSS score of 9.8 gets a patch released, and then multiple threat actors immediately start exploiting it anyway because nobody bothered to update their shit. Welcome to CVE-2025-24893, the XWiki RCE that’s turning servers into botnet zombies.

XWiki? What the Hell Is That?

XWiki is an open-source wiki platform written in Java. It’s used by organizations for internal documentation, knowledge bases, collaboration, and all that enterprise-y stuff. It’s actually pretty popular in certain circles, which is exactly why hackers love targeting it.

The Vulnerability

CVE-2025-24893 is a critical remote code execution vulnerability affecting XWiki. We’re talking unauthenticated RCE here, folks—the absolute worst kind. An attacker doesn’t need credentials. They don’t need to social-engineer anyone. They just need to know your XWiki server’s IP address, and they can execute arbitrary code on it.

CVSS score of 9.8 means this is an “oh fuck” level vulnerability. The kind where you patch first and ask questions later.

Enter RondoDox and Friends

RondoDox is a botnet that’s been actively recruiting new members by exploiting this XWiki vulnerability. The botnet started hammering vulnerable XWiki servers starting November 3, 2025. But here’s the thing: RondoDox isn’t alone. Multiple threat actors have been exploiting CVE-2025-24893 since late October.

VulnCheck and other threat intelligence sources reported exploitation surges on November 7 and November 11. That’s when things really kicked into high gear.

What Are They Doing with Compromised Servers?

Once RondoDox or other threat actors compromise an XWiki server, they’re using it for:

Crypto mining – Because of course they are. Turn your server into a Bitcoin/Monero mining rig without asking permission first.

Botnet recruitment – Adding the server to their botnet infrastructure for future DDoS attacks or other malicious activity.

Unauthorized access and persistence – Installing backdoors, creating new accounts, and making sure they can get back in even if you patch.

It’s the gift that keeps on giving. Well, for the attackers anyway.

The Exploitation Timeline

Here’s how this clusterfuck unfolded:

October 28, 2025: CVE-2025-24893 patch released for XWiki Early November: Multiple threat actors start scanning for vulnerable servers November 3: RondoDox botnet joins the party and starts active exploitation November 7: First major surge in exploitation attempts November 11: Second surge in attacks Mid-November: Thousands of vulnerable XWiki instances still exposed on the internet

Who’s at Risk?

Anyone running an unpatched XWiki instance is at risk. And given that this is open-source software often deployed by smaller IT teams or for internal use, I’d bet good money there are tons of forgotten XWiki servers sitting on networks right now, happily serving malware instead of wiki pages.

This is exactly why detailed network documentation is essential—if you don’t know what’s running on your network, you can’t patch it.

What You Need to Do

1. Identify all XWiki instances in your environment. Yes, including that one the marketing department stood up three years ago and forgot about. 2. Patch immediately. Update to the latest version that addresses CVE-2025-24893. This should have been done in late October, but better late than never. 3. Check for indicators of compromise:

• Unusual CPU usage (crypto mining)
• New user accounts you didn’t create
• Scheduled tasks or cron jobs you don’t recognize
• Outbound network connections to suspicious IPs
• Modified system files or web shells

4. If you find evidence of compromise, assume the system is toast. Wipe it, rebuild from known-good backups, and change all credentials that might have been exposed. 5. Make sure your XWiki instances aren’t publicly accessible unless absolutely necessary. Internal documentation wikis generally don’t need to be reachable from the entire internet.

The Botnet Economy

Let’s talk about what’s really happening here. RondoDox and similar botnets are essentially running a distributed computing business using stolen resources. They compromise vulnerable servers, install mining software or DDoS bots, and profit from your electricity bill and infrastructure.

It’s actually kind of brilliant in a completely illegal and unethical way. They have zero infrastructure costs because they’re using your servers. They have zero electricity costs because they’re using your power. And they have minimal risk because the actual malicious activity originates from your IP address, not theirs.

You’re basically funding cybercrime without even knowing it. Fun times.

Why This Keeps Happening

Here’s the depressing reality: vulnerabilities like CVE-2025-24893 get patched, security researchers publish advisories, threat intelligence firms detect exploitation, and yet thousands of organizations still don’t patch.

Why? Pick your favorite excuse:

• “We didn’t know we had XWiki running”
• “We’re waiting for the change window next month”
• “We need to test the patch first”
• “Nobody told us it was critical”
• “We’re too busy with other projects”

Meanwhile, the bad guys are scanning the entire IPv4 address space looking for vulnerable targets, and they don’t give a shit about your change management process.

The Bigger Picture

This XWiki situation is a microcosm of the broader vulnerability management problem. Organizations deploy software, forget about it, and then act surprised when it gets compromised months or years later.

Open-source software is fantastic for many reasons, but it also means you’re responsible for maintaining it. There’s no vendor automatically pushing patches to your XWiki server. You have to monitor for updates, test them, and deploy them. If you’re not willing to do that, you shouldn’t be running the software.

Botnets like RondoDox will continue exploiting publicly disclosed vulnerabilities as long as there are vulnerable systems to exploit. The attack surface is massive, and the defenders are often understaffed, underfunded, and overwhelmed.

Patch your shit. Document your infrastructure. Monitor for compromise. It’s not glamorous, but it’s the job.

Your XWiki Server Is Probably Mining Bitcoin for Some Russian Hacker Right Now