XWiki-Platform - RCE (CVE-2024-21650)

CVE-2024-21650 is a critical remote code execution vulnerability in the XWiki Platform that allows unauthenticated attackers to execute arbitrary code by injecting malicious payloads into the "first name" or "last name" fields during user registration. This flaw affects all XWiki installations with guest registration enabled, potentially enabling full system compromise. Attackers could exploit this vulnerability to gain unauthorized access, manipulate data, or disrupt wiki operations.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

CrowdSec network observations suggest that most exploitation of CVE-2024-21650 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2024-21650 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2024-21650 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the user registration endpoint /bin/register/XWiki/XWikiRegister by injecting malicious payloads into the register_first_name or register_last_name fields, leading to remote code execution on vulnerable XWiki installations.