The flaw allows attackers with minimal guest privileges to execute arbitrary commands on vulnerable systems, posing a significant security risk to organizations using this open-source enterprise wiki platform.
XWiki, which positions itself as an advanced open-source enterprise wiki and alternative to platforms like Confluence and MediaWiki, released a security advisory and patch in February addressing this severe vulnerability.
The flaw resides in the SolrSearch component and remarkably requires only guest-level privileges for exploitation, making it accessible to virtually any user with basic system access.
The early release of proof-of-concept code alongside the advisory meant that the vulnerability experienced an unusually delayed exploitation timeline. Initial reconnaissance scans appeared in July, but actual exploitation attempts did not surge until recently.
The exploitation method demonstrates relatively straightforward execution patterns. Attackers send specially crafted GET requests to the vulnerable XWiki endpoint, specifically targeting the SolrSearch RSS media function.
SANS observed that the malicious requests embed Groovy script commands within asynchronous execution blocks, allowing remote code execution through shell commands.
Captured exploit attempts reveal attackers attempting to download and execute shell scripts from external servers, specifically from the IP address 74.194.191.52.
The User-Agent string in these requests contains the email address bang2013@atomicmail.io, potentially belonging to the threat actor.
Investigation of the hosting server uncovered an unexpected connection to Chicago rap culture, with references to captivity rapper King Lil Jay and rival RondoNumbaNine, both previously associated with opposing gang affiliations.
The vulnerability presents critical risks because it enables complete system compromise through remote code execution capabilities. Organizations running XWiki installations must prioritize immediate patching to prevent potential breaches.
The attack requires no user interaction and minimal complexity, making it particularly attractive to opportunistic threat actors conducting mass internet scanning campaigns.
Security teams should verify their XWiki installations are updated with the February security patch, monitor for suspicious SolrSearch requests, and implement network-level protections to detect exploitation attempts.
The combination of low attack complexity and widespread scanning activity indicates this vulnerability will remain a high-priority target for malicious actors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Actively Scanning Internet to Exploit XWiki Remote Code Execution Vulnerability appeared first on Cyber Security News.
A convincing fake website posing as the popular Mac utility CleanMyMac is actively pushing dangerous…
A new data-stealing malware called BoryptGrab has been quietly spreading across Windows systems through a…
The rumored "HomePod with a screen" we've heard so much about was reportedly lined up…
Department of Homeland Security. | Image: The Verge Chaos reigned at airports across the country…
City and project leaders recently broke ground on a new well and water treatment facility…
If you're in the market for the biggest and baddest mobile desktop replacement at a…
This website uses cookies.