Detect CVE-2026-44179: XWiki Pro Macros RCE via Excerpt-Include Macro in Splunk
Detects exploitation of CVE-2026-44179, a critical remote code execution vulnerability in com.xwiki.pro:xwiki-pro-macros versions >= 1.13 and < 1.14.5. The vulnerability (CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code) allows unauthenticated or low-privileged attackers to execute arbitrary code on the server by injecting malicious Groovy/Velocity script expressions into XWiki page titles or content that are subsequently processed by the excerpt-include macro. A public proof-of-concept is available.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("linux_audit", "wineventlog", "sysmon", "osquery", "crowdstrike:events:sensor")
| eval is_xwiki_parent = if(match(parent_process_name, "(?i)(java|xwiki)") OR match(ParentProcessName, "(?i)(java|xwiki)"), 1, 0)
| eval suspicious_child = if(match(process_name, "(?i)(bash|sh|cmd\.exe|powershell\.exe|whoami|id|curl|wget|nc|ncat|python|perl|ruby)") OR match(ProcessName, "(?i)(bash|sh|cmd\.exe|powershell\.exe|whoami|id|curl|wget|nc|ncat)"), 1, 0)
| eval reverse_shell_port = if(dest_port IN ("4444", "1337", "9001", "8888", "443", "80") AND (match(process_name, "(?i)java") OR match(app, "(?i)xwiki")), 1, 0)
| eval xwiki_file_write = if(match(file_path, "(?i)(xwiki|xwiki-data|XWikiStore)") AND match(process_name, "(?i)java"), 1, 0)
| where is_xwiki_parent=1 AND (suspicious_child=1 OR reverse_shell_port=1 OR xwiki_file_write=1)
| eval risk_score = case(
suspicious_child=1 AND is_xwiki_parent=1, 90,
reverse_shell_port=1, 80,
xwiki_file_write=1, 60,
true(), 50
)
| eval risk_indicator = case(
suspicious_child=1, "Shell or interpreter spawned from XWiki/Java process",
reverse_shell_port=1, "Outbound connection on high-risk port from XWiki JVM",
xwiki_file_write=1, "File written to XWiki directory by Java process",
true(), "Suspicious XWiki JVM activity"
)
| table _time, host, user, process_name, parent_process_name, command_line, dest, dest_port, file_path, risk_score, risk_indicator
| sort -risk_scoreIdentifies process execution anomalies, outbound connections, and file write events from Java/XWiki processes consistent with RCE exploitation of CVE-2026-44179 via crafted excerpt-include macro payloads.
Data Sources
Required Sourcetypes
False Positives & Tuning
- XWiki plugins or extensions that legitimately invoke shell commands for document conversion or indexing
- Authorized security scanning tools running as the xwiki service user
- Java-based monitoring agents that establish outbound connections from the same host
- Scheduled maintenance jobs that write temporary files to XWiki data directories
Other platforms for CVE-2026-44179
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1XWiki Excerpt-Include SSTI via Groovy Script Block
Expected signal: Process creation event showing java (or catalina) as parent process and a subprocess running 'id' or 'sh -c id'. Network logs may show the HTTP response containing the output of the id command.
- Test 2XWiki RCE Reverse Shell via Excerpt-Include Macro
Expected signal: Outbound TCP connection from the XWiki host JVM process to ATTACKER_IP:4444. Process tree shows java -> bash with interactive shell flags. Network flow records an established connection on port 4444.
- Test 3XWiki File Write via RCE to Establish Persistence
Expected signal: File creation event for /tmp/xwiki_rce_proof.txt with the Java/Tomcat process as the creator. Audit log (auditd or Sysmon for Linux) records a file open/write syscall from the java process.
Unlock Pro Content
Get the full detection package for CVE-2026-44179 including response playbook, investigation guide, and atomic red team tests.