RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet

The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution.
The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any guest user to perform arbitrary remote code execution through a request to the “/bin/get/Main/SolrSearch” endpoint. It was patched by the maintainers in XWiki 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025.
In a fresh report published Friday, VulnCheck revealed that it has since observed a spike in exploitation attempts, hitting a new high on November 7, followed by another surge on November 11. This indicates broader scanning activity likely driven by multiple threat actors participating in the effort.
This includes RondoDox, a botnet that’s rapidly adding new exploitation vectors to rope susceptible devices into a botnet for conducting distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols. The first RondoDox exploit was observed on November 3, 2025, per the cybersecurity company.

To read the complete article see:
The Hacker News