The U. S. Cybersecurity and Infrastructure Security Agency ( CISA ) on Monday five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager ( EPM) to its Known Exploited Vulnerabilities ( ) catalog, based on evidence of active exploitation in the wild.
The record of threats is as follows-
- CVE-2024-57968- An unlimited file upload vulnerability in Advantive VeraCore that allows a distant unauthenticated attacker to upload files to unintended folders via upload. apsx
- CVE-2025-25181– An SQL injection risk in Advantive VeraCore that allows a distant intruder to execute arbitrary SQL commands
- CVE-2024-13159– An complete way traversal vulnerability in Ivanti EPM that allows a distant unauthenticated attacker to drip sensitive information
- CVE-2024-13160– An complete way traversal vulnerability in Ivanti EPM that allows a distant unauthenticated attacker to drip sensitive information
- CVE-2024-13161– An complete way traversal vulnerability in Ivanti EPM that allows a distant unauthenticated attacker to drip sensitive information
The exploitation of VeraCore vulnerabilities has been to good a Taiwanese threat actor named XE Group, which has been observed dropping reverse shells and web shells to maintain consistent remote access to affected systems.
On the other hand, there are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks. A proof-of-concept ( PoC ) exploit was by Horizon3. ai last month. The cybersecurity company described them as” credential coercion” bugs that could allow an unauthenticated attacker to compromise the servers.
In light of active exploitation, it’s essential that Federal Civilian Executive Branch (FCEB ) agencies apply the necessary patches by March 31, 2025.
The development comes as threat intelligence firm GreyNose warned of mass exploitation of , a critical vulnerability impacting PHP-CGI, with spikes in attack activity targeting Japan, Singapore, Indonesia, the United Kingdom, Spain, and India.
” More than 43 % of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China”, GreyNoise , adding it “detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets” in February.