The United States Cybersecurity and Infrastructure Security Agency (CISA) has recently added five security vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV), which affect Advantive VeraCore and Ivanti Endpoint Manager (EPM). This decision was made based on evidence of active exploitation of these vulnerabilities in the wild.
The following vulnerabilities have been identified:
- CVE-2024-57968: A vulnerability in Advantive VeraCore that allows an unauthenticated remote attacker to upload files to unintended folders via upload.apsx due to unrestricted file upload.
- CVE-2025-25181: A SQL injection vulnerability in Advantive VeraCore that enables a remote attacker to execute arbitrary SQL commands.
- CVE-2024-13159: An absolute path traversal vulnerability in Ivanti EPM that allows an unauthenticated remote attacker to leak sensitive information.
- CVE-2024-13160: Another absolute path traversal vulnerability in Ivanti EPM that allows an unauthenticated remote attacker to leak sensitive information.
- CVE-2024-13161: An absolute path traversal vulnerability in Ivanti EPM that allows an unauthenticated remote attacker to leak sensitive information.
The exploitation of VeraCore vulnerabilities has been linked to a Vietnamese threat actor known as the XE Group. This group has been observed using reverse shells and web shells to maintain persistent remote access to compromised systems.
Meanwhile, there are currently no public reports on how the three Ivanti EPM vulnerabilities are being exploited in real-world attacks. However, a proof-of-concept (PoC) exploit was released by Horizon3.ai last month, which described these vulnerabilities as “credential coercion” bugs that could allow an unauthenticated attacker to compromise servers.
Given the active exploitation of these vulnerabilities, it is crucial that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by March 31, 2025.
This development comes as the threat intelligence firm GreyNose warned of mass exploitation of CVE-2024-4577, a critical vulnerability affecting PHP-CGI, with increased attack activity targeting Japan, Singapore, Indonesia, the United Kingdom, Spain, and India.
According to GreyNoise, “more than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China.” The company also detected a coordinated spike in exploitation attempts against networks in multiple countries in February, suggesting additional automated scanning for vulnerable targets.
