On March 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of five new vulnerabilities affecting Advantive VeraCore and Ivanti Endpoint Manager (EPM) in its Known Exploited Vulnerabilities (KEV) catalog, following confirmed cases of exploitation in the wild. This escalation emphasizes a heightened risk for organizations using these platforms.
The newly identified vulnerabilities present serious security threats. Among them, CVE-2024-57968 involves an unrestricted file upload flaw in Advantive VeraCore, potentially allowing remote attackers to upload files to unintended directories. CVE-2025-25181 represents an SQL injection vulnerability that permits the execution of arbitrary SQL commands by remote attackers. Meanwhile, Ivanti EPM faces multiple absolute path traversal vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161), each enabling unauthorized access to sensitive information through the exploitation of file paths.
The exploitation of VeraCore’s vulnerabilities has been connected to a cyber threat group identified as XE Group, reportedly linked to Vietnam. This group has been demonstrated to deploy reverse shells and web shells, allowing persistent remote access to compromised systems, thereby reinforcing their foothold within affected networks.
While concerns mount over the vulnerabilities in Advantive, specific details on real-world exploitation of Ivanti’s EPM flaws remain scarce. Horizon3.ai recently released a proof-of-concept exploit that describes these vulnerabilities as “credential coercion” issues, which could lead to server compromises by unauthorized users.
The urgency for response is underscored by CISA’s directive that Federal Civilian Executive Branch (FCEB) agencies must implement necessary patches by March 31, 2025, to mitigate exposure to these vulnerabilities. This requirement highlights the critical nature of addressing known weaknesses in cybersecurity protocols to safeguard operational integrity.
Further complicating the cybersecurity landscape, GreyNoise reported a significant uptick in exploitation attempts against CVE-2024-4577, a critical vulnerability affecting PHP-CGI. Attack activity has surged across multiple countries, including Japan, Singapore, Indonesia, the United Kingdom, Spain, and India. Notably, over 43% of the targeting IPs reported in the last 30 days trace back to Germany and China, indicating a coordinated effort in these attacks.
In analyzing the tactics employed during such attacks, techniques from the MITRE ATT&CK framework may be invoked, particularly those associated with initial access and persistence. The unrestricted file upload and SQL injection vulnerabilities may facilitate initial entry protocols, while path traversal vulnerabilities could be utilized for data exfiltration or unauthorized information retrieval.
This recent spate of vulnerabilities demands attention from cybersecurity professionals and organizations alike, emphasizing diligence in monitoring and response to emerging threats. As the attack surface expands, maintaining robust cybersecurity measures and adhering to patching timelines is essential in safeguarding sensitive operational environments.
