The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added 5 safety flaws impacting Advantive VeraCore and Ivanti Endpoint Supervisor (EPM) to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation within the wild.
The checklist of vulnerabilities is as follows –
- CVE-2024-57968 – An unrestricted file add vulnerability in Advantive VeraCore that enables a distant unauthenticated attacker to add recordsdata to unintended folders through add.apsx
- CVE-2025-25181 – An SQL injection vulnerability in Advantive VeraCore that enables a distant attacker to execute arbitrary SQL instructions
- CVE-2024-13159 – An absolute path traversal vulnerability in Ivanti EPM that enables a distant unauthenticated attacker to leak delicate info
- CVE-2024-13160 – An absolute path traversal vulnerability in Ivanti EPM that enables a distant unauthenticated attacker to leak delicate info
- CVE-2024-13161 – An absolute path traversal vulnerability in Ivanti EPM that enables a distant unauthenticated attacker to leak delicate info
The exploitation of VeraCore vulnerabilities has been attributed to probably a Vietnamese risk actor named XE Group, which has been noticed dropping reverse shells and internet shells to take care of persistent distant entry to compromised methods.
Then again, there are at the moment no public stories about how the three Ivanti EPM flaws are being weaponized in real-world assaults. A proof-of-concept (PoC) exploit was launched by Horizon3.ai final month. The cybersecurity firm described them as “credential coercion” bugs that would permit an unauthenticated attacker to compromise the servers.
In gentle of energetic exploitation, it is important that Federal Civilian Government Department (FCEB) businesses apply the mandatory patches by March 31, 2025.
The event comes as risk intelligence agency GreyNose warned of mass exploitation of CVE-2024-4577, a vital vulnerability impacting PHP-CGI, with spikes in assault exercise focusing on Japan, Singapore, Indonesia, the UK, Spain, and India.
“Greater than 43% of IPs focusing on CVE-2024-4577 previously 30 days are from Germany and China,” GreyNoise stated, including it “detected a coordinated spike in exploitation makes an attempt in opposition to networks in a number of nations, suggesting extra automated scanning for susceptible targets” in February.