The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five security vulnerabilities affecting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild.

## Vulnerabilities Under Active Attack

The identified vulnerabilities include:

– **CVE-2024-57968**: An unrestricted file upload vulnerability in Advantive VeraCore allowing unauthenticated attackers to upload files to unintended folders via upload.apsx
– **CVE-2025-25181**: An SQL injection vulnerability in Advantive VeraCore enabling arbitrary SQL command execution
– **CVE-2024-13159, CVE-2024-13160, CVE-2024-13161**: Three absolute path traversal vulnerabilities in Ivanti EPM that allow unauthenticated attackers to access sensitive information

## Threat Actor Activity

Security researchers have linked the VeraCore exploits to a Vietnamese threat group known as XE Group, which has been deploying reverse shells and web shells to maintain persistent access to compromised systems.

While the Ivanti EPM vulnerabilities lack public reports on active exploitation methods, Horizon3.ai released a proof-of-concept exploit last month, describing them as “credential coercion” bugs that enable unauthenticated server compromise.

## Remediation Timeline

Federal Civilian Executive Branch agencies must apply patches for these vulnerabilities by March 31, 2025.

## Additional Threat Landscape

Meanwhile, threat intelligence firm GreyNoise has reported mass exploitation of CVE-2024-4577, a critical PHP-CGI vulnerability, with significant attack activity targeting Japan, Singapore, Indonesia, the UK, Spain, and India. Over 43% of attacking IPs originate from Germany and China, with coordinated exploitation spikes observed in February.