What happened

CISA added CVE-2025-24893 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-10-30, signaling confirmed in-the-wild exploitation of XWiki Platform’s eval injection flaw CISA KEV. The entry states the issue "could allow any guest to perform arbitrary remote code execution through a request to SolrSearch" CISA KEV. The required action is to apply vendor mitigations or discontinue use if none are available, with a due date of 2025-11-20 for federal agencies CISA KEV.

The vulnerability is tracked as CVE-2025-24893 and mapped to CWE-95 (eval injection) NVD entry. MITRE’s record corroborates the identifier and assignment MITRE CVE. The upstream project has published an advisory for the issue, referencing SolrSearch as the trigger surface GitHub advisory.

CISA lists "Known ransomware campaign use: Unknown" for this CVE, but its KEV inclusion means active exploitation exists beyond theoretical proofs CISA KEV.

Why it matters

Pre-authentication remote code execution (RCE) is the shortest path from an internet-facing bug to compromise. Here, "any guest" can hit a vulnerable SolrSearch request and achieve arbitrary code execution on the application host CISA KEV. KEV status indicates adversaries are already doing this in the wild, so patch velocity must outpace automated reconnaissance and exploitation CISA KEV.

Eval injection (CWE-95) typically arises when untrusted input is passed to an evaluator in a dynamic language or templating context, enabling attacker-controlled code to run NVD entry. In XWiki’s case, the vendor highlights SolrSearch as the request path implicated by the bug GitHub advisory. That makes the exploitation surface predictable and trivially scannable for bots.

Technical detail

The flaw is classified as CWE-95 (eval injection), which occurs when user input is evaluated as code without safe handling NVD entry. According to the KEV description, "any guest" can trigger the issue via a SolrSearch request to XWiki, leading to arbitrary RCE on the server side CISA KEV. This implies no authentication barrier is required before reaching the vulnerable path, increasing exploitability on public instances CISA KEV.

The project’s advisory acknowledges the vulnerability and denotes the SolrSearch entry point as the vector, aligning with CISA’s description GitHub advisory. The CVE registration by MITRE confirms the identifier and coordinates for ecosystem tracking MITRE CVE.

Given KEV inclusion, exploitation has been observed, and opportunistic attackers will continue crawling for exposed XWiki instances and hammering SolrSearch until patched CISA KEV. The risk surface includes any internet-accessible XWiki Platform that routes SolrSearch requests to the vulnerable code path NVD entry.

Defense

• Patch/mitigate now: Apply the vendor’s instructions from the XWiki advisory and verify remediation on all exposed instances GitHub advisory.
• Federal urgency: CISA sets a due date of 2025-11-20 and instructs agencies to apply mitigations per vendor guidance, follow BOD 22-01 for cloud services, or discontinue use if no mitigations exist CISA KEV.
• Reduce exposure: Because "any guest" can exploit via SolrSearch, restrict or temporarily disable anonymous/guest access where feasible until patched CISA KEV.
• Monitor and filter: Instrument logging around SolrSearch requests and alert on abnormal spikes or suspicious parameterization referencing code-eval patterns tied to this CVE CISA KEV. Where possible, add targeted web filtering for the SolrSearch route while maintaining business function GitHub advisory.
• Validate: After applying fixes, confirm the vulnerable request path is no longer exploitable by testing against the CVE identifier and vendor guidance NVD entry.

Lyrie Verdict

This is pre-auth RCE reachable via a predictable search route, which is catnip for autonomous scanners and agentic exploit loops. Lyrie treats anything that looks like SolrSearch-driven eval as hostile at machine speed, correlating inbound SolrSearch requests with immediate execution-side effects to flag CVE-2025-24893 attempts before a human could triage CISA KEV. Our detectors key off the CVE semantics (eval injection/CWE-95) to prioritize and auto-contain traffic that matches the SolrSearch exploitation profile across tenants NVD entry. Where policy allows, Lyrie can shun repeat offenders and enforce temporary blocks on the SolrSearch route until the vendor fix is validated, closing the pre-auth gap exploited in the wild GitHub advisory.