The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed on Monday newly added vulnerabilities affecting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The identified vulnerabilities are as follows –
- CVE-2024-57968 – Unrestricted file upload vulnerability in Advantive VeraCore allowing remote unauthenticated attackers to upload files to unintended folders via upload.apsx
- CVE-2025-25181 – SQL injection vulnerability in Advantive VeraCore enabling remote attackers to execute arbitrary SQL commands
- CVE-2024-13159 – Absolute path traversal vulnerability in Ivanti EPM allowing remote unauthenticated attackers to leak sensitive information
- CVE-2024-13160 – Absolute path traversal vulnerability in Ivanti EPM enabling remote unauthenticated attackers to leak sensitive information
- CVE-2024-13161 – Absolute path traversal vulnerability in Ivanti EPM allowing remote unauthenticated attackers to leak sensitive information
The exploitation of VeraCore vulnerabilities is linked to a Vietnamese threat actor known as XE Group, observed deploying reverse shells and web shells to maintain persistent remote access on compromised systems.
Conversely, there are no public reports on the exploitation of the three Ivanti EPM vulnerabilities in real-world attacks. Horizon3.ai released a proof-of-concept (PoC) exploit last month, describing them as “credential coercion” flaws that could enable unauthenticated attackers to compromise servers.
In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are urged to apply necessary patches by March 31, 2025.
The alert comes as threat intelligence company GreyNose cautioned about widespread exploitation of CVE-2024-4577, a critical vulnerability affecting PHP-CGI, with increased attack activity targeting multiple countries including Japan, Singapore, Indonesia, the United Kingdom, Spain, and India.
“Over 43% of IPs targeting CVE-2024-4577 in the last 30 days originate from Germany and China,” GreyNoise reported, noting a coordinated surge in exploitation attempts against networks worldwide in February.
