Cybersecurity Alert: Exploitation of VeraCore Vulnerabilities by XE Group
Recent assessments have revealed that cybercriminals are taking advantage of several vulnerabilities within specific software applications, notably Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore. These exploits allow threat actors to deploy reverse shells and web shells, granting them persistent access to compromised systems. The ongoing exploitation of VeraCore’s vulnerabilities has been primarily attributed to the XE Group, a cybercrime syndicate believed to have Vietnamese roots and active since at least 2010.
The XE Group, which has transitioned from credit card skimming to sophisticated targeted information theft, exemplifies a notable evolution in their operational focus. Cybersecurity firm Intezer, in collaboration with Solis Security, released a report detailing this shift. The group is increasingly targeting supply chain vulnerabilities within the manufacturing and distribution sectors, applying cutting-edge tactics and newly identified weaknesses to achieve their objectives.
Among the vulnerabilities exploited, CVE-2024-57968—a high-severity flaw with a CVSS score of 9.9—permits unauthorized file uploads to unintended directories. Notably, a patch was issued for this flaw in VeraCore version 2024.4.2.1. Another critical entry point is CVE-2025-25181, carrying a CVSS score of 5.8, which enables SQL injection attacks that allow remote attackers to run arbitrary SQL commands; currently, no fix for this vulnerability exists.
The ramifications of these vulnerabilities have led to the deployment of ASPXSpy web shells, facilitating unauthorized access to compromised systems. Such shells have been designed to enumerate file systems, exfiltrate data, and utilize compression tools like 7z. Importantly, they also deploy a Meterpreter payload, aimed at establishing connections with actor-controlled servers.
The untapped potential for long-term access remains a hallmark of the XE Group’s operations. Notably, previous assaults involved the exploitation of older vulnerabilities within Telerik UI for ASP.NET, such as CVE-2017-9248 and CVE-2019-18935, indicating a pattern of utilizing both newly discovered and previously known weaknesses. This sophisticated approach highlights a sophisticated understanding of systemic vulnerabilities that enhances their operational efficiency.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added several vulnerabilities to its Known Exploited Vulnerabilities catalog, emphasizing the growing concern surrounding active exploitation. Among these is CVE-2025-0411, used by Russian cybercriminals to distribute SmokeLoader malware, reflecting the global dimension of the threat landscape.
As of now, the XE Group’s activities showcase a profound understanding of enterprise vulnerabilities, particularly their ability to maintain access long after initial exploitation. Federal agencies are required to implement security updates to mitigate against these known risks effectively.
In summary, the exploitation of vulnerabilities within software like VeraCore underscores the importance of robust cybersecurity measures within organizations. Continuous vulnerability management and prompt patching are crucial, especially for systems exposed to the internet. Business owners should remain vigilant to safeguard their operations against evolving cyber threats and ensure compliance with best practices for cyber hygiene.
This situation exemplifies the ever-present need to understand and address potential adversary tactics as outlined in the MITRE ATT&CK Matrix, particularly concerning initial access, persistence, and privilege escalation techniques used by groups like XE.
