Risk actors have been noticed exploiting a number of safety flaws in varied software program merchandise, together with Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and net shells, and preserve persistent distant entry to compromised methods.
The zero-day exploitation of safety flaws in VeraCore has been attributed to a risk actor referred to as XE Group, a cybercrime group seemingly of Vietnamese origin that is recognized to be lively since a minimum of 2010.
“XE Group transitioned from bank card skimming to focused data theft, marking a big shift of their operational priorities,” cybersecurity agency Intezer mentioned in a report revealed in collaboration with Solis Safety.
“Their assaults now goal provide chains within the manufacturing and distribution sectors, leveraging new vulnerabilities and superior ways.”
The vulnerabilities in query are listed under –
- CVE-2024-57968 (CVSS rating: 9.9) – An unrestricted add of recordsdata with a harmful sort vulnerability that enables distant authenticated customers to add recordsdata to unintended folders (Mounted in VeraCode model 2024.4.2.1)
- CVE-2025-25181 (CVSS rating: 5.8) – An SQL injection vulnerability that enables distant attackers to execute arbitrary SQL instructions (No patch accessible)
The most recent findings from Intezer and Solis Safety present that the shortcomings are being chained to deploy ASPXSpy net shells for unauthorized entry to contaminated methods, in a single occasion leveraging CVE-2025-25181 way back to early 2020. The exploitation exercise was found in November 2024.
The online shells come fitted with capabilities to enumerate the file system, exfiltrate recordsdata, and compress them utilizing instruments like 7z. The entry can also be abused to drop a Meterpreter payload that makes an attempt to connect with an actor-controlled server (“222.253.102[.]94:7979”) through a Home windows socket.
The up to date variant of the online shell additionally incorporates a wide range of options to facilitate community scanning, command execution, and working SQL queries to extract crucial data or modify current information.
Whereas earlier assaults mounted by XE Group have weaponized recognized vulnerabilities, particularly flaws in Telerik UI for ASP.NET (CVE-2017-9248 and CVE-2019-18935, CVSS scores: 9.8), the event marks the primary time the hacking crew has been attributed to zero-day exploitation, indicating a rise in sophistication.
“Their skill to take care of persistent entry to methods, as seen with the reactivation of an internet shell years after preliminary deployment, highlights the group’s dedication to long-term goals,” researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz mentioned.
“By concentrating on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the impression of their operations but additionally demonstrates an acute understanding of systemic vulnerabilities.”
CVE-2019-18935, which was flagged by U.Ok. and U.S. authorities companies in 2021 as one of the vital exploited vulnerabilities, has additionally come underneath lively exploitation as lately as final month to load a reverse shell and execute follow-up reconnaissance instructions through cmd.exe.
“Whereas the vulnerability in Progress Telerik UI for ASP.NET AJAX is a number of years previous, it continues to be a viable entry level for risk actors,” eSentire mentioned. “This highlights the significance of patching methods, particularly if they’re going to be uncovered to the web.”
CISA Provides 5 Flaws to KEV Catalog
The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added 5 safety flaws to its Identified Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
- CVE-2025-0411 (CVSS rating: 7.0) – 7-Zip Mark of the Net Bypass Vulnerability
- CVE-2022-23748 (CVSS rating: 7.8) – Dante Discovery Course of Management Vulnerability
- CVE-2024-21413 (CVSS rating: 9.8) – Microsoft Outlook Improper Enter Validation Vulnerability
- CVE-2020-29574 (CVSS rating: 9.8) – CyberoamOS (CROS) SQL Injection Vulnerability
- CVE-2020-15069 (CVSS rating: 9.8) – Sophos XG Firewall Buffer Overflow Vulnerability
Final week, Development Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as a part of spear-phishing campaigns concentrating on Ukrainian entities.
The exploitation of CVE-2020-29574 and CVE-2020-15069, however, has been linked to a Chinese language espionage marketing campaign tracked by Sophos underneath the moniker Pacific Rim.
There are at the moment no reviews on how CVE-2024-21413, additionally tracked as MonikerLink by Verify Level, is being exploited within the wild. As for CVE-2022-23748, the cybersecurity firm disclosed in late 2022 that it noticed the ToddyCat risk actor leveraging a DLL side-loading vulnerability in Audinate Dante Discovery (“mDNSResponder.exe”).
Federal Civilian Govt Department (FCEB) companies are mandated to use the mandatory updates by February 27, 2025, underneath Binding Operational Directive (BOD) 22-01 to safeguard in opposition to lively threats.