XE Group, a cybercriminal organization with a lengthy history of illicit activities, has recently been discovered exploiting zero-day vulnerabilities in VeraCore software, a widely used solution for warehouse management and order fulfillment. These vulnerabilities, identified as CVE-2025-25181 and CVE-2024-57968, have been the targets of XE Group’s malicious activities, specifically aimed at companies operating in the manufacturing and distribution sectors.
Research conducted by Intezer and Solis Security has shed light on the sophisticated tactics employed by XE Group in their cyber operations. One particularly alarming revelation was the discovery of a compromised organization in 2020, where XE Group had maintained access to a critical endpoint for over four years. This prolonged access allowed the cybercriminals to infiltrate the organization’s systems and potentially extract sensitive information.
XE Group, believed to have origins in Vietnam, is notorious for exploiting known vulnerabilities in web services and platforms, utilizing this access to deploy credit card skimmers, password-stealing malware, and other malicious tools. In addition, they have a history of creating fake websites to deceive users into disclosing personal information and selling stolen data on the dark web. Their use of customized ASPXSpy webshells and obfuscation tactics showcases the group’s technical expertise and dedication to their illegal activities.
The exploitation of the VeraCore zero-day vulnerabilities (CVE-2025-25181 and CVE-2024-57968) was a significant breach discovered by researchers in early November 2024. The compromise of an IIS server hosting VeraCore software led to post-exploitation activities by XE Group, including exfiltration of config files, attempts to access remote systems, and execution of a Remote Access Trojan (RAT) via obfuscated PowerShell commands. The attackers leveraged an SQL injection vulnerability to gain initial access in January 2020 and subsequently exploited an upload validation vulnerability to upload a webshell, enabling them to carry out further malicious actions.
XE Group’s evolution from credit card skimming to exploiting zero-day vulnerabilities showcases their adaptability and increasing sophistication in cyber operations. Their ability to maintain persistent access to systems, as evidenced by the reactivation of a webshell years after deployment, demonstrates their long-term objectives and commitment to nefarious activities. VeraCore maker Advantive took steps to address the upload validation vulnerability in November 2024, temporarily disabling the vulnerable feature. However, there is currently no public information available regarding a patch for CVE-2025-25181.
Overall, the activities of XE Group highlight the ongoing threat posed by cybercriminal organizations and the importance of proactive security measures to safeguard against such malicious actors. The targeted exploitation of zero-day vulnerabilities emphasizes the need for vigilance and prompt response to cybersecurity threats in today’s digital landscape.