CVE-2025-24893 XWiki Platform Eval Injection Exploitation
Detects exploitation of CVE-2025-24893, an eval injection vulnerability (CWE-95) in XWiki Platform that allows remote code execution via server-side template injection. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers can craft malicious wiki content or URLs containing Groovy/Velocity template expressions that are evaluated server-side, leading to arbitrary code execution under the XWiki process context.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- XWiki
- Product
- Platform
Weakness (CWE)
Timeline
- Disclosed
- October 30, 2025
CVSS
What is CVE-2025-24893 CVE-2025-24893 XWiki Platform Eval Injection Exploitation?
CVE-2025-24893 XWiki Platform Eval Injection Exploitation (CVE-2025-24893) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-24893 XWiki Platform Eval Injection Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureDiagnostics, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor =~ "XWiki" or DeviceProduct has_any ("xwiki", "XWiki")
| where RequestURL has_any ("%7B%7B", "%24%7B", "{{velocity}}", "#set(", "velocity", "groovy")
or RequestURL matches regex @"(?i)(\{\{[^}]+\}\}|\$\{[^}]+\}|%7B%7B|%24%7B)"
),
(
W3CIISLog
| where csUriStem has_any ("xwiki", "/bin/", "/download/")
| where csUriQuery has_any ("%7B%7B", "groovy", "velocity", "%24%7B", "#set", "Runtime", "exec")
),
(
AzureDiagnostics
| where Category has_any ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog")
| where requestUri_s has_any ("xwiki", "/bin/view", "/bin/edit")
| where requestUri_s matches regex @"(?i)(groovy|velocity|\{\{|%7B%7B|exec|Runtime|ProcessBuilder)"
),
(
Syslog
| where ProcessName has_any ("java", "xwiki", "tomcat")
| where SyslogMessage has_any ("groovy.lang", "ProcessBuilder", "Runtime.exec", "eval(", "{{velocity}}", "xwiki.groovy")
)
| extend ThreatIndicator = "CVE-2025-24893 XWiki Eval Injection"
| project TimeGenerated, ThreatIndicator, Computer, DeviceVendor, DeviceProduct, RequestURL, SourceIP, DestinationIP, Activity, AdditionalExtensionsDetects CVE-2025-24893 XWiki eval injection exploitation via HTTP request patterns containing Groovy/Velocity template injection payloads in XWiki application logs, IIS logs, Azure Application Gateway logs, and Java process syslog entries.
Data Sources
Required Tables
False Positives
- Legitimate XWiki administrators testing or creating Groovy/Velocity-based macros and scripts in development environments
- Automated content migration or import tools that generate template-like URL patterns when processing wiki content
- Security scanners and vulnerability assessment tools performing authorized scans against XWiki installations
- XWiki internal application events using Groovy macros for legitimate wiki functionality such as dynamic content rendering
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-24893 XWiki Platform Eval Injection Exploitation (CVE-2025-24893) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azureBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-24893
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XWiki Velocity Template Expression Injection via URL Parameter
Expected signal: Web server access log entry for GET request to /xwiki/bin/view/Main/WebHome with URL-encoded Velocity expression `#set($rt=$x.class.forName("java.lang.Runtime"))` and `exec("id")` in query parameters; Syslog or Java log entry showing Velocity evaluation; possible child process `id` spawned from Java parent.
- Test 2XWiki Groovy Script Injection via Wiki Page Edit API
Expected signal: Web server access log showing PUT request to /xwiki/rest/wikis/xwiki/spaces/Main/pages/ with XML body containing `{{groovy}}` and `execute()` content. XWiki application log showing Groovy script evaluation event. Process event showing `id` command execution as child of Java process if the page is subsequently rendered.
- Test 3XWiki Post-Exploitation Reverse Shell via Groovy RCE
Expected signal: Process event showing `bash` child process spawned from Java parent with command line containing `/dev/tcp/` indicating reverse shell. Network connection event from Java/bash process to attacker IP on port 4444. XWiki application log showing Groovy script evaluation. Syslog entries showing bash process activity under the XWiki service account.
- Test 4XWiki Eval Injection Scanner Simulation
Expected signal: Multiple web server access log entries within a short time window for GET requests to /xwiki/bin/view/Main/WebHome with varying URL-encoded Groovy, Velocity, and FreeMarker injection payloads in query parameters from the same source IP.
Unlock Pro Content
Get the full detection package for CVE-2025-24893 including response playbook, investigation guide, and atomic red team tests.