Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-57968 - An unrestricted file upload vulnerability in Advantive VeraCore
Analysis Summary
# Vulnerability: Actively Exploited Flaws in Advantive VeraCore and Ivanti EPM
## CVE Details
- CVE ID: CVE-2024-57968, CVE-2025-25181, CVE-2024-13159, CVE-2024-13160, CVE-2024-13161
- CVSS Score: Not specified in the provided text. CISA listing implies high severity due to active exploitation.
- CWE: Unrestricted File Upload (for CVE-2024-57968), SQL Injection (for CVE-2025-25181), Path Traversal (for CVE-2024-13159, CVE-2024-13160, CVE-2024-13161)
## Affected Systems
- Products: Advantive VeraCore, Ivanti Endpoint Manager (EPM)
- Versions: Not specified in the provided text.
- Configurations: N/A
## Vulnerability Description
This advisory covers five vulnerabilities added to the CISA KEV catalog:
1. **CVE-2024-57968 (Advantive VeraCore):** An unrestricted file upload vulnerability allowing a remote, unauthenticated attacker to upload files to unintended directories via `upload.apsx`.
2. **CVE-2025-25181 (Advantive VeraCore):** An SQL injection vulnerability allowing a remote attacker to execute arbitrary SQL commands.
3. **CVE-2024-13159, CVE-2024-13160, CVE-2024-13161 (Ivanti EPM):** Three separate absolute path traversal vulnerabilities allowing a remote, unauthenticated attacker to leak sensitive information.
## Exploitation
- Status: **Actively exploited in the wild**. The VeraCore vulnerabilities are attributed to the threat actor XE Group, who have been observed dropping reverse shells and web shells. The Ivanti EPM flaws have known PoCs released by Horizon3.ai, described as "credential coercion" bugs.
- Complexity: Low (implied by unauthenticated attacks and PoC availability for Ivanti).
- Attack Vector: Network (Remote, Unauthenticated).
## Impact
- Confidentiality: High (Information leakage via Path Traversal, potential credential access via Coercion/SqL Injection).
- Integrity: High (Potential for arbitrary file upload leading to RCE/web shell placement; SQL injection manipulation).
- Availability: Potential impact depending on the payload dropped (e.g., web shells/reverse shells maintained access).
## Remediation
### Patches
The article mandates that Federal Civilian Executive Branch (FCEB) agencies apply necessary patches by **March 31, 2025**. Specific patch versions are not listed in the text.
### Workarounds
No specific workarounds are listed in the provided article summary.
## Detection
- Specific Indicators of Compromise (IOCs) for these 5 vulnerabilities are not detailed.
- **General Detection:** Monitor systems for evidence of file upload activity to unintended locations, unexpected reverse shell connections originating from the affected software, and unusual SQL query execution patterns against the VeraCore database.
## References
- CISA KEV Catalog Update: cisa gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog
- XE Group VeraCore Exploitation: thehackernews com/2025/02/xe-hacker-group-exploits-veracore-zero
- Ivanti EPM PoC Release: thehackernews com/2025/01/researcher-uncovers-critical-flaws-in