CVE-2025-24893 Google Chronicle · YARA-L

Detect CVE-2025-24893 XWiki Platform Eval Injection Exploitation in Google Chronicle

Detects exploitation of CVE-2025-24893, an eval injection vulnerability (CWE-95) in XWiki Platform that allows remote code execution via server-side template injection. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers can craft malicious wiki content or URLs containing Groovy/Velocity template expressions that are evaluated server-side, leading to arbitrary code execution under the XWiki process context.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2025_24893_xwiki_eval_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2025-24893 XWiki Platform eval injection exploitation attempts"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j"
    cve = "CVE-2025-24893"

  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.network.http.request_url, `(?i)/xwiki/`) or
      re.regex($e.network.http.request_url, `(?i)/bin/(view|edit|save|download)`) or
      re.regex($e.network.http.request_url, `(?i)/rest/wikis/`)
    )
    (
      re.regex($e.network.http.request_url, `(?i)(groovy|velocity|ProcessBuilder|Runtime\.exec|%7B%7B|%24%7B)`) or
      re.regex($e.network.http.request_url, `\{\{[^}]+\}\}`) or
      re.regex($e.network.http.request_url, `\$\{[^}]+\}`) or
      re.regex($e.network.http.request_url, `#set\s*\(`) or
      re.regex($e.network.http.request_url, `(?i)exec\s*\(`)
    )

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule detecting CVE-2025-24893 XWiki eval injection exploitation by matching HTTP requests to XWiki endpoints containing Groovy template expressions, Velocity macros, or Java reflection patterns indicative of server-side template injection.

Data Sources

Chronicle Network LogsChronicle UDM HTTP Events

Required Tables

network_http

False Positives & Tuning

  • Legitimate XWiki REST API calls using Groovy scripts for authorized server-side automation and content management
  • XWiki backup or synchronization tools that transmit template content via URL parameters during content migration
  • Security research environments running XWiki exploit proof-of-concept testing under controlled lab conditions
  • XWiki extension development workflows where developers pass Velocity template content through HTTP parameters for testing

Other platforms for CVE-2025-24893

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1XWiki Velocity Template Expression Injection via URL Parameter

    Expected signal: Web server access log entry for GET request to /xwiki/bin/view/Main/WebHome with URL-encoded Velocity expression `#set($rt=$x.class.forName("java.lang.Runtime"))` and `exec("id")` in query parameters; Syslog or Java log entry showing Velocity evaluation; possible child process `id` spawned from Java parent.

  2. Test 2XWiki Groovy Script Injection via Wiki Page Edit API

    Expected signal: Web server access log showing PUT request to /xwiki/rest/wikis/xwiki/spaces/Main/pages/ with XML body containing `{{groovy}}` and `execute()` content. XWiki application log showing Groovy script evaluation event. Process event showing `id` command execution as child of Java process if the page is subsequently rendered.

  3. Test 3XWiki Post-Exploitation Reverse Shell via Groovy RCE

    Expected signal: Process event showing `bash` child process spawned from Java parent with command line containing `/dev/tcp/` indicating reverse shell. Network connection event from Java/bash process to attacker IP on port 4444. XWiki application log showing Groovy script evaluation. Syslog entries showing bash process activity under the XWiki service account.

  4. Test 4XWiki Eval Injection Scanner Simulation

    Expected signal: Multiple web server access log entries within a short time window for GET requests to /xwiki/bin/view/Main/WebHome with varying URL-encoded Groovy, Velocity, and FreeMarker injection payloads in query parameters from the same source IP.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-24893 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.007JavaScriptT1203Exploitation for Client ExecutionT1105Ingress Tool Transfer

Same Tactic: Initial Access

Popular Detections