Menace actors have been noticed exploiting a number of security flaws in numerous software program merchandise, together with Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and internet shells, and preserve persistent distant entry to compromised methods.
The zero-day exploitation of security flaws in VeraCore has been attributed to a menace actor referred to as XE Group, a cybercrime group doubtless of Vietnamese origin that is recognized to be energetic since no less than 2010.
“XE Group transitioned from bank card skimming to focused info theft, marking a big shift of their operational priorities,” cybersecurity agency Intezer stated in a report printed in collaboration with Solis Safety.
“Their assaults now goal provide chains within the manufacturing and distribution sectors, leveraging new vulnerabilities and superior techniques.”
The vulnerabilities in query are listed beneath –
- CVE-2024-57968 (CVSS rating: 9.9) – An unrestricted add of information with a harmful sort vulnerability that enables distant authenticated customers to add information to unintended folders (Fastened in VeraCode model 2024.4.2.1)
- CVE-2025-25181 (CVSS rating: 5.8) – An SQL injection vulnerability that enables distant attackers to execute arbitrary SQL instructions (No patch accessible)
The most recent findings from Intezer and Solis Safety present that the shortcomings are being chained to deploy ASPXSpy internet shells for unauthorized entry to contaminated methods, in a single occasion leveraging CVE-2025-25181 way back to early 2020. The exploitation exercise was found in November 2024.
The online shells come fitted with capabilities to enumerate the file system, exfiltrate information, and compress them utilizing instruments like 7z. The entry can be abused to drop a Meterpreter payload that makes an attempt to connect with an actor-controlled server (“222.253.102[.]94:7979”) through a Home windows socket.
The up to date variant of the net shell additionally incorporates quite a lot of options to facilitate community scanning, command execution, and working SQL queries to extract crucial info or modify present knowledge.
Whereas earlier assaults mounted by XE Group have weaponized recognized vulnerabilities, particularly flaws in Telerik UI for ASP.NET (CVE-2017-9248 and CVE-2019-18935, CVSS scores: 9.8), the event marks the primary time the hacking crew has been attributed to zero-day exploitation, indicating a rise in sophistication.
“Their potential to take care of persistent entry to methods, as seen with the reactivation of an online shell years after preliminary deployment, highlights the group’s dedication to long-term targets,” researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz stated.
“By focusing on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the influence of their operations but additionally demonstrates an acute understanding of systemic vulnerabilities.”
CVE-2019-18935, which was flagged by U.Okay. and U.S. authorities businesses in 2021 as one of the crucial exploited vulnerabilities, has additionally come beneath energetic exploitation as lately as final month to load a reverse shell and execute follow-up reconnaissance instructions through cmd.exe.
“Whereas the vulnerability in Progress Telerik UI for ASP.NET AJAX is a number of years previous, it continues to be a viable entry level for menace actors,” eSentire stated. “This highlights the significance of patching methods, particularly if they’ll be uncovered to the web.”
CISA Provides 5 Flaws to KEV Catalog
The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added 5 security flaws to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
- CVE-2025-0411 (CVSS rating: 7.0) – 7-Zip Mark of the Internet Bypass Vulnerability
- CVE-2022-23748 (CVSS rating: 7.8) – Dante Discovery Course of Management Vulnerability
- CVE-2024-21413 (CVSS rating: 9.8) – Microsoft Outlook Improper Enter Validation Vulnerability
- CVE-2020-29574 (CVSS rating: 9.8) – CyberoamOS (CROS) SQL Injection Vulnerability
- CVE-2020-15069 (CVSS rating: 9.8) – Sophos XG Firewall Buffer Overflow Vulnerability
Final week, Pattern Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as a part of spear-phishing campaigns focusing on Ukrainian entities.
The exploitation of CVE-2020-29574 and CVE-2020-15069, however, has been linked to a Chinese language espionage marketing campaign tracked by Sophos beneath the moniker Pacific Rim.
There are presently no studies on how CVE-2024-21413, additionally tracked as MonikerLink by Test Level, is being exploited within the wild. As for CVE-2022-23748, the cybersecurity firm disclosed in late 2022 that it noticed the ToddyCat menace actor leveraging a DLL side-loading vulnerability in Audinate Dante Discovery (“mDNSResponder.exe”).
Federal Civilian Govt Department (FCEB) businesses are mandated to use the required updates by February 27, 2025, beneath Binding Operational Directive (BOD) 22-01 to safeguard towards energetic threats.
