CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List

Mar 11, 2025Ravie LakshmananEnterprise Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting Advantive VeraCore and Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.

The list of vulnerabilities is as follows –

• CVE-2024-57968 – An unrestricted file upload vulnerability in Advantive VeraCore that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx
• CVE-2025-25181 – An SQL injection vulnerability in Advantive VeraCore that allows a remote attacker to execute arbitrary SQL commands
• CVE-2024-13159 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information
• CVE-2024-13160 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information
• CVE-2024-13161 – An absolute path traversal vulnerability in Ivanti EPM that allows a remote unauthenticated attacker to leak sensitive information

The exploitation of VeraCore vulnerabilities has been attributed to likely a Vietnamese threat actor named XE Group, which has been observed dropping reverse shells and web shells to maintain persistent remote access to compromised systems.

On the other hand, there are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks. A proof-of-concept (PoC) exploit was released by Horizon3.ai last month. The cybersecurity company described them as “credential coercion” bugs that could allow an unauthenticated attacker to compromise the servers.

In light of active exploitation, it’s essential that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by March 31, 2025.

The development comes as threat intelligence firm GreyNose warned of mass exploitation of CVE-2024-4577, a critical vulnerability impacting PHP-CGI, with spikes in attack activity targeting Japan, Singapore, Indonesia, the United Kingdom, Spain, and India.

“More than 43% of IPs targeting CVE-2024-4577 in the past 30 days are from Germany and China,” GreyNoise said, adding it “detected a coordinated spike in exploitation attempts against networks in multiple countries, suggesting additional automated scanning for vulnerable targets” in February.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!