CISA Adds 2 VeraCore Vulnerabilities to Known Actively Exploit Vulnerability Catalog

CISA has likely added two VeraCore vulnerabilities, CVE-2024-57968 and CVE-2025-25181, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation by the XE Group.

These vulnerabilities impact VeraCore, a warehouse management software by Advantive, critical for supply chains in manufacturing and distribution.

CVE-2024-57968 is patched in version 2024.4.2.1, while CVE-2025-25181 remains unpatched as of March 2025, heightening risks.

XE Group has exploited these flaws to deploy web shells, maintaining access for over four years in some cases.

The Cybersecurity and Infrastructure Security Agency (CISA) maintains the KEV catalog to track vulnerabilities actively exploited in the wild, aiding organizations in prioritizing remediation.

VeraCore is widely used for warehouse management and order fulfillment, making its vulnerabilities a significant concern for supply chain security.

Vulnerabilities and Technical Details

• CVE-2024-57968: An unrestricted file upload vulnerability (CVSS 9.9). It allows authenticated users to upload arbitrary files to unintended server directories due to insufficient input validation. Patched in VeraCore 2024.4.2.1.
• CVE-2025-25181: An SQL injection vulnerability (CVSS 5.8). It enables remote attackers to inject malicious SQL queries via unsanitized input, potentially exposing database contents. No patch is available as of March 2025.

How the Attack Works

The XE Group chains these vulnerabilities in a multi-step attack:

Initial Access via SQL Injection (CVE-2025-25181):

Attackers craft HTTP requests with malicious SQL payloads targeting vulnerable endpoints in VeraCore.

Example: A parameter like ?id=1; SELECT * FROM web_config could retrieve sensitive data (e.g., credentials) from the database if not properly sanitized.

This step extracts configuration files (e.g., web.config) or user credentials, providing authenticated access.

Web Shell Deployment (CVE-2024-57968):

Using stolen credentials, attackers exploit the file upload flaw to upload an ASPX web shell (e.g., ASPXSpy) to a writable directory.

The web shell, a small script (often <100 lines), allows remote command execution, file manipulation, and persistence.

Example command: cmd.exe /c dir to list files or 7z.exe a archive.zip * to compress data for exfiltration.

The web shell provides a backdoor, enabling attackers to return over years, as seen in cases dating back to 2020.

They enumerate the file system, exfiltrate data, and maintain stealth by mimicking legitimate traffic.

Active since 2010, XE Group targets supply chains, leveraging these zero-day flaws for data theft and operational disruption. Their ability to persist undetected for over four years underscores the attack’s sophistication, posing risks to logistics and critical infrastructure.

Recommendations

• For CVE-2024-57968: Update to VeraCore 2024.4.2.1 to block file upload exploitation.
• For CVE-2025-25181: Apply mitigations like input validation, prepared statements, and network monitoring for SQL injection attempts until a patch is released.
• General: Use strong authentication, monitor for web shell activity (e.g., unusual ASPX files), and follow CISA’s guidance.

CISA’s inclusion of these vulnerabilities in the KEV catalog, likely updated around early March 2025, signals an urgent need for action. Organizations using VeraCore must address these flaws to mitigate ongoing threats from XE Group’s persistent attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.