CISA recently updated its Known Exploited Vulnerabilities catalog, adding five vulnerabilities that are actively being exploited. These affect Advantive VeraCore, used for warehouse and order management in logistics, and Ivanti Endpoint Manager, used for managing and securing endpoints like computers and mobile devices. Federal agencies must patch these by March 31, 2025, to comply with security directives.
CISA Has Added Five Vulnerabilities To Its KEV List
On March 10, 2025, CISA announced the inclusion of five vulnerabilities in its Known Exploited Vulnerabilities catalog. The affected products, Advantive VeraCore and Ivanti Endpoint Manager, are enterprise-level solutions critical to their respective industries. Advantive VeraCore is a SaaS platform for order and warehouse management, catering to third-party logistics and fulfillment companies. It integrates functions like inventory management and eCommerce, making it a backbone for operational efficiency.
Ivanti Endpoint Manager is designed for endpoint management and security, supporting devices across Windows, macOS, and IoT systems, essential for hybrid work environments. Federal Civilian Executive Branch agencies are mandated to remediate these vulnerabilities by March 31, 2025, under Binding Operational Directive 22-01.
Technical Details of Vulnerabilities
Unrestricted File Upload Vulnerability (CVE-2024-57968). This flaw in Advantive VeraCore permits remote unauthenticated attackers to upload files via the upload.aspx endpoint without restrictions. Such vulnerabilities typically arise from inadequate input validation, allowing attackers to upload executable scripts or shells. The XE Group, identified as a likely Vietnamese threat actor, has been exploiting this to drop reverse or web shells, enabling remote control of compromised servers. Reverse shells allow attackers to execute commands from their machines, while web shells provide a command-line interface via web access, both facilitating unauthorized access.
SQL Injection Vulnerability (CVE-2025-25181). Also affecting Advantive VeraCore, this SQL injection vulnerability allows remote attackers to inject and execute arbitrary SQL commands. This can lead to data extraction, modification, or deletion, and in severe cases, server compromise if the database has elevated privileges. The XE Group’s exploitation involves dropping reverse or web shells, suggesting a strategy to escalate access for further malicious activities.
Absolute Path Traversal Vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161). These three vulnerabilities in Ivanti EPM are absolute path traversal flaws, allowing remote unauthenticated attackers to access files and directories outside the intended root. Path traversal exploits manipulate file paths, often using sequences like “../../” to navigate up directories, accessing sensitive files such as configuration data or user credentials.
While there are no public reports of real-world attacks, Horizon3.ai released a proof-of-concept, indicating potential for exploitation. This PoC demonstrates how attackers could craft requests to leak sensitive information, posing a significant risk.
Potential Impact and Risk Assessment
These vulnerabilities pose severe risks due to their enterprise-level usage and active exploitation. Unrestricted file upload and SQL injection flaws threaten critical business data, including customer orders and inventory details, essential for 3PL companies. Reports indicate XE Group has exploited these vulnerabilities, likely for espionage or data exfiltration.
Given their suspected Vietnamese origin, attacks could disrupt logistics operations, causing financial and reputational damage. Path traversal flaws in Ivanti EPM risk exposing sensitive data, which could facilitate credential stuffing or lateral movement. A breach could compromise entire networks, endangering industries like government and healthcare.
