Cyberdudebivash

Your Infrastructure is at Risk: Hackers Are Actively Exploiting XWiki and VMware Flaws—Patch Immediately!

, , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Oct 31, 2025 (IST)

Your Infrastructure is at Risk: Hackers Are Actively Exploiting XWiki and VMware Flaws—Patch Immediately!

Actively exploited now: XWiki CVE-2025-24893 enables unauthenticated remote code execution via template/search parameter injection; VMware CVE-2025-41244 enables privilege escalation to root in environments running Aria Operations and VMware Tools (SDMP). Both are highlighted by CISA/analysts as in-the-wild. Patch, lock edges, and hunt immediately.CyberDudeBivash Ecosystem:Apps & Services · Threat Intel (Blogger) · CryptoBivash · News Portal · Subscribe: ThreatWire

TL;DR — Treat as Incidents, Patch Faster Than Usual

  • XWiki CVE-2025-24893 (CVSS 9.8): Unauth RCE via template/search parameter injection. In the wild exploitation observed by multiple researchers; CISA KEV now flags it. 
  • VMware CVE-2025-41244 (CVSS 7.8): Priv-esc impacting Aria Operations/VMware Tools; exploitation tied to state-linked actors; patches released by Broadcom. 
  • Action: Patch to fixed builds, restrict risky endpoints, add WAF rules, and run the hunt playbooks below today.

Contents

  1. XWiki CVE-2025-24893 — What, Who, How
  2. VMware CVE-2025-41244 — What, Who, How
  3. Detections & Hunts (SIEM/EDR/Proxy)
  4. Emergency Mitigations & Patch Matrix
  5. Hardening Checklists
  6. FAQ
  7. Sources

XWiki CVE-2025-24893 — What, Who, How

Unauthenticated RCE via template injection in XWiki’s SolrSearch macro path lets remote attackers evaluate Groovy expressions. Exploitation has been captured by canary sensors and seen in public scanners; Metasploit/PoC write-ups are available, underscoring ease of abuse. Internet-facing XWiki must be patched or isolated immediately.

  • Observed outcomes: webshell/coinminer deployment and lateral movement staging. 
  • Status: Added to CISA KEV; organizations urged to remediate quickly. 

VMware CVE-2025-41244 — What, Who, How

Privilege escalation in Broadcom/VMware Aria Operations and VMware Tools (SDMP feature) allowing an attacker with low privileges on a guest/system to escalate to root. Analysts report zero-day exploitation dating back months; vendor shipped fixes across affected product lines. Track exposure across Cloud Foundation/Telco platforms as well.

  • Threat activity: CISA and multiple outlets warn of active exploitation; attribution includes state-linked operators in some campaigns. 
  • Status: In CISA KEV; patches and guidance available from Broadcom. 

Detections & Hunts (SIEM/EDR/Proxy)

XWiki — Web/Proxy/Host Hunts

  • Proxy logs: Atypical GET/POST to XWiki search endpoints carrying Groovy-like payloads or encoded expressions; sudden spikes of 500/503 before webshell drop. 
  • Filesystem: Newly created .groovy/.jsp or suspicious files under /xwiki/ or temp dirs; integrity drift of templates.
  • Process tree: App server child processes (e.g., java spawning sh/bash) with outbound connections.

VMware — Platform/Guest Hunts

  • Auth/priv spikes: Sudden elevation of low-priv accounts on Aria Ops hosts; unexpected sudo / setuid activity.
  • SDMP traces: Look for suspicious interactions with guest service discovery/SDMP components around crash or restart events.
  • IOC correlation: Cross-check CISA KEV items and vendor bulletins for indicators tied to CVE-2025-41244 campaigns.
# Proxy hunt idea (XWiki)
zgrep -E "(/xwiki/.*search|SolrSearch|suggest)" access.log* | grep -Ei "(%7B|%24|groovy|eval|script)"

# Linux: suspicious child process of java (Tomcat/Jetty)
ps -eo ppid,pid,user,cmd | awk '$4 ~ /java/ {print}' ; journalctl -u tomcat* --since "24 hours ago" | grep -Ei "exec|bash|curl|wget"

Emergency Mitigations & Patch Matrix

Immediate Edge/WAF Guardrails

# Block risky XWiki search/template injection patterns (concept)
if path matches /(SolrSearch|search)/ and request contains /(groovy|\\$\\{|%24%7B)/ then block(403)

XWiki — Patch & Validate

  1. Patch to vendor-fixed builds for CVE-2025-24893; review release notes and disable unsafe template evaluation paths. 
  2. Validate: Re-hash templates, scan for webshells, rotate app secrets, and enforce least-priv on the app server.
  3. Isolation: If patching is delayed, remove public exposure; restrict to VPN/Zero-Trust proxy.

VMware — Patch & Validate

  1. Apply Broadcom updates for Aria Operations, Tools (and Cloud Foundation/Telco where applicable) that remediate CVE-2025-41244. 
  2. Validate: Confirm new package versions; review SDMP configuration; monitor for privilege anomalies post-patch. 
  3. Credential/token hygiene: Rotate credentials on impacted hosts; review recent admin actions.

Hardening Checklists

  • Zero-trust edges: Put admin APIs and risky endpoints behind mTLS/JWT-aware proxies; no direct internet exposure.
  • Exploit chain breaks: WDAC/AppLocker (Windows) or eBPF/Selinux profiles (Linux) to restrict interpreter spawns from app servers.
  • Observability: Dedicated dashboards for XWiki search errors and Aria Ops privilege events; alert on template edits and SDMP activity.
  • Backups & DR: Verified, offline backups of XWiki data and Aria Ops configs; practice restore runbooks quarterly.

FAQ

Are these confirmed “actively exploited” today?

Yes. CISA expanded KEV to include XWiki CVE-2025-24893 and VMware CVE-2025-41244, with additional analyst reporting of in-the-wild activity (including earlier zero-day use for the VMware issue). 

What does the XWiki bug allow?

Unauthenticated RCE via template/parameter injection (SolrSearch macro). Multiple public analyses and modules describe the attack path.

What does the VMware bug allow?

Local privilege escalation to root in Aria Operations/Tools contexts where SDMP is enabled; vendor updates are available. 

Sources

  • SecurityWeek — CISA adds exploited XWiki & VMware flaws (KEV update). 
  • VulnCheck — XWiki CVE-2025-24893 Exploited in the Wild (canary capture, IoCs). 
  • OffSec — Deep dive on CVE-2025-24893 unauth RCE. 
  • Rapid7 Metasploit module — XWiki unauth RCE usage notes. 
  • Broadcom/Qualys/CIS advisories — VMware CVE-2025-41244 details & patches. 
  • CISA Alerts — KEV additions & exploitation notes. 

CyberDudeBivash — Services, Apps & Ecosystem

  • Emergency Patch Sprints (Web, VMware, Linux/Windows)
  • Threat Hunts (XWiki RCE chains, Aria Ops/Tools priv-esc)
  • WAF/Zero-Trust Edge Engineering & Log Pipelines

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com | ThreatWire

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

#CyberDudeBivash #CyberBivash #XWiki #CVE202524893 #VMware #CVE202541244 #RCE #PrivilegeEscalation #CISAKEV #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started