CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List

Mar 11, 2025Ravie LakshmananEnterprise Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.

The list of vulnerabilities is as follows –

• CVE-2024-57968 – An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx
• CVE-2025-25181 – An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands
• CVE-2024-13159 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information
• CVE-2024-13160 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information
• CVE-2024-13161 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information

The exploitation of VeraCore vulnerabilities has been attributed to likely a Vietnamese threat actor named XE Group, which has been observed dropping reverse shells and web shells to maintain persistent remote access to compromised systems.

On the other hand, there are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks. A proof-of-concept (PoC) exploit was released by Horizon3.ai last month. The cybersecurity company described them as “credential coercion” bugs that could allow an unauthenticated attacker to compromise the servers.

In light of active exploitation, it’s essential that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by March 31, 2025.

The development comes as threat intelligence firm GreyNose warned of mass exploitation of CVE-2024-4577, a critical vulnerability impacting PHP-CGI, with spikes in attack activity targeting Japan, Singapore, Indonesia, the United Kingdom, Spain, and India.

“More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” GreyNoise said, adding it “detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets” in February.