RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet

RondoDox is actively exploiting unpatched XWiki servers using CVE-2025-24893, leading to record-breaking exploitation surges throughout November 2025.

The malware campaign leverages the critical remote code execution vulnerability in XWiki to compromise servers and forcibly enroll them into its expanding botnet infrastructure.

Security researchers have observed unprecedented exploitation rates, with threat actors aggressively scanning for and compromising vulnerable XWiki instances to bolster their distributed network capabilities.

The RondoDox botnet demonstrates sophisticated capabilities including cryptocurrency mining operations, DDoS attack coordination, and persistent remote access to compromised systems.

Organizations running XWiki installations are urged to immediately apply available security patches and implement robust monitoring to detect and prevent these exploitation attempts.