Ivanti EPM, VeraCore flaws added to CISA KEV catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added five security vulnerabilities affecting software from affecting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors.

The Advantive VeraCore vulnerabilities include:

1. CVE-2024-57968: An unrestricted file upload vulnerability that could allow a remote, unauthenticated threat to upload files to unintended folders via upload.aspx.
2. CVE-2025-25181: An SQL injection vulnerability that could allow a remote threat actor to execute arbitrary SQL commands.

A Vietnamese threat actor known as XE Group, has been observed leveraging the VeraCore vulnerabilities to deploy reverse shells and web shells to maintain persistent remote access to compromised systems.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The EPM vulnerabilities include:

1. CVE-2024-13159: An absolute path traversal vulnerability that could allow a remote, unauthenticated threat actor to leak sensitive information.
2. CVE-2024-13160: An absolute path traversal flaw that could enable unauthorized access to sensitive data.
3. CVE-2024-13161: A similar path traversal flaw that could allow information leakage.

While there are no public reports detailing the exploitation of these Ivanti EPM flaws, a proof-of-concept exploit has been publicly available since at least January 2025.

In response to these active threats, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply necessary mitigations by March 31, 2025, to secure their networks, underscoring the criticality of addressing these vulnerabilities promptly to protect against potential cyberattacks.

Source: The Hacker News

Analysis

Vulnerabilities in Ivanti’s EPM have a history of being exploited by threat actors. For example, between April and July 2023, threat actors exploited CVE-2023-35078, a critical authentication bypass vulnerability, to access sensitive information and make unauthorized configuration changes. It was later revealed that this exploitation notably affected multiple Norwegian government agencies and that the threat actor leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy their access to target infrastructure.

In early 2024, Chinese-nexus espionage groups, including one assessed to be Volt Typhoon, exploited vulnerabilities in Ivanti products to deploy custom malware families like SPAWN and ROOTROT to establish stealthy and persistent backdoors. These tools enabled the attackers to maintain long-term access and avoid detection within compromised environments.

Advantive VeraCore, a widely used warehouse management and order fulfillment software, has not been widely exploited until now. The exploitation also seems limited to the XE Group, which has a history of cybercriminal activities dating back to at least 2013. Initially, their operations focused on credit card skimming, which involves injecting malicious code into websites to steal payment information. Over time, they have evolved their tactics, shifting towards more sophisticated methods, including the exploitation of zero-day vulnerabilities.

Their recent activities involve targeting supply chains in the manufacturing and distribution sectors by exploiting vulnerabilities like those found in VeraCore's software. This strategic pivot not only maximizes the impact of their operations, but also demonstrates an acute understanding of systemic vulnerabilities within supply chains.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats related to vulnerabilities like those mentioned above. Field Effect MDR users are automatically notified if vulnerable software and hardware are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages users exposed to the vulnerabilities listed above to install the necessary patches as soon as possible.

Related Articles

• CISA adds five flaws to its KEV catalog
• Active attempts to exploit Palo Alto vulnerability noted, exploit published
• Microsoft fixes 63 vulnerabilities on Patch Tuesday, including two that were actively exploited