Threat actors have been targeting multiple vulnerabilities in software products, such as Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to exploit systems and maintain unauthorized access, a recent report revealed.
The exploit of zero-day vulnerabilities in VeraCore has been linked to a cybercrime group known as XE Group, believed to be of Vietnamese origin and active since 2010. The group, previously involved in credit card skimming, has shifted focus to targeted information theft, particularly in supply chains in the manufacturing and distribution sectors. According to a report by cybersecurity firm Intezer, in collaboration with Solis Security, XE Group’s tactics now involve leveraging new vulnerabilities and advanced techniques to achieve their objectives.
The vulnerabilities being exploited include CVE-2024-57968 and CVE-2025-25181 in VeraCore, with different severity levels. These vulnerabilities allow threat actors to upload files to unintended folders and execute arbitrary SQL commands remotely, respectively. The exploitation of these vulnerabilities has enabled the deployment of ASPXSpy web shells, allowing unauthorized access to compromised systems. The use of these web shells grants attackers the ability to enumerate the file system, exfiltrate files, and execute commands, including running SQL queries.
XE Group’s utilization of zero-day exploits marks a significant escalation in their capabilities, transitioning from known vulnerabilities to previously undiscovered weaknesses. This shift demonstrates their increasing sophistication and commitment to long-term objectives, as evidenced by their ability to maintain access to systems over an extended period.
The recent additions to the Known Exploited Vulnerabilities catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlight the growing threat landscape. Five new vulnerabilities, including CVE-2025-0411, CVE-2022-23748, CVE-2024-21413, CVE-2020-29574, and CVE-2020-15069, have been identified as actively exploited. These vulnerabilities have been targeted by various threat groups worldwide to distribute malware and gain unauthorized access to systems.
Furthermore, Trend Micro’s recent findings indicate that Russian cybercrime groups are leveraging CVE-2025-0411 to distribute malware in spear-phishing campaigns, targeting specific entities in Ukraine. Additionally, Chinese espionage campaigns have been linked to the exploitation of CVE-2020-29574 and CVE-2020-15069, highlighting the global impact of these vulnerabilities.
To mitigate the risks associated with these vulnerabilities, FCEB agencies are required to apply the necessary updates by February 27, 2025, as part of Binding Operational Directive (BOD) 22-01. This directive aims to enhance cybersecurity posture and protect federal systems against active threats.
In conclusion, the evolving threat landscape underscores the importance of proactive cybersecurity measures, including timely patching and vulnerability management. Organizations must remain vigilant and implement best practices to defend against emerging cyber threats.