Rondodox Expands Botnet via Unpatched XWiki RCE Vulnerability

Patch Now. Active Exploitation Is Widely Observed in the Wild.

The RondoDox botnet is expanding by exploiting a critical remote code execution flaw in XWiki (CVE-2025-24893, CVSS 9.8). The patch has been available since February 2025, yet many internet-facing instances remain unpatched. That gap has allowed attackers to quietly recruit servers into their botnet and deploy secondary payloads such as cryptominers, as reported by Security Affairs.

Once a vulnerability is public, attackers move faster than most organizations can patch. By the time an issue appears on CISA’s Known Exploited Vulnerabilities list, exploitation is often already well underway. VulnCheck has repeatedly shown that real-world exploitation typically precedes formal prioritization.

It also reflects how botnets are evolving. RondoDox is not targeting a single product or vendor. It is a multi-vector operation that exploits dozens of flaws across different platforms and device types. Attackers go where patching lags and ownership is unclear.

XWiki is a good example of a broader risk pattern. It is widely deployed, often self-hosted, and commonly treated as internal infrastructure. When systems like this fall outside standard asset inventories or patch governance, they become durable footholds for attackers.

If you are responsible for internet-facing applications or infrastructure, the takeaways are straightforward:

• Prioritize vulnerabilities based on active exploitation, not just severity scores.

• Track real exploitation data, not only advisories.

• Assume attackers will pivot quickly to any exposed system that remains unpatched.

Security is not about knowing a patch exists. It is about closing the window between disclosure and exploitation.

Read more here.