Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems.
The zero-day exploitation of security flaws in VeraCore has been attributed to a threat actor known as XE Group, a cybercrime group likely of Vietnamese origin that’s known to be active since at least 2010.
“XE Group transitioned from credit card skimming to targeted information theft, marking a significant shift in their operational priorities,” cybersecurity firm Intezer said in a report published in collaboration with Solis Security.
“Their attacks now target supply chains in the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics.”
The vulnerabilities in question are listed below –
- CVE-2024-57968 (CVSS score: 9.9) – An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated users to upload files to unintended folders (Fixed in VeraCode version 2024.4.2.1)
- CVE-2025-25181 (CVSS score: 5.8) – An SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (No patch available)
The latest findings from Intezer and Solis Security show that the shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, in one instance leveraging CVE-2025-25181 as far back as early 2020. The exploitation activity was discovered in November 2024.
The web shells come fitted with capabilities to enumerate the file system, exfiltrate files, and compress them using tools like 7z. The access is also abused to drop a Meterpreter payload that attempts to connect to an actor-controlled server (“222.253.102[.]94:7979”) via a Windows socket.
The updated variant of the web shell also incorporates a variety of features to facilitate network scanning, command execution, and running SQL queries to extract critical information or modify existing data.
While previous attacks mounted by XE Group have weaponized known vulnerabilities, namely flaws in Telerik UI for ASP.NET (CVE-2017-9248 and CVE-2019-18935, CVSS scores: 9.8), the development marks the first time the hacking crew has been attributed to zero-day exploitation, indicating an increase in sophistication.
“Their ability to maintain persistent access to systems, as seen with the reactivation of a web shell years after initial deployment, highlights the group’s commitment to long-term objectives,” researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz said.
“By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities.”
CVE-2019-18935, which was flagged by U.K. and U.S. government agencies in 2021 as one of the most exploited vulnerabilities, has also come under active exploitation as recently as last month to load a reverse shell and execute follow-up reconnaissance commands via cmd.exe.
“While the vulnerability in Progress Telerik UI for ASP.NET AJAX is several years old, it continues to be a viable entry point for threat actors,” eSentire said. “This highlights the importance of patching systems, especially if they are going to be exposed to the internet.”
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
- CVE-2025-0411 (CVSS score: 7.0) – 7-Zip Mark of the Web Bypass Vulnerability
- CVE-2022-23748 (CVSS score: 7.8) – Dante Discovery Process Control Vulnerability
- CVE-2024-21413 (CVSS score: 9.8) – Microsoft Outlook Improper Input Validation Vulnerability
- CVE-2020-29574 (CVSS score: 9.8) – CyberoamOS (CROS) SQL Injection Vulnerability
- CVE-2020-15069 (CVSS score: 9.8) – Sophos XG Firewall Buffer Overflow Vulnerability
Last week, Trend Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as part of spear-phishing campaigns targeting Ukrainian entities.
The exploitation of CVE-2020-29574 and CVE-2020-15069, on the other hand, has been linked to a Chinese espionage campaign tracked by Sophos under the moniker Pacific Rim.
There are currently no reports on how CVE-2024-21413, also tracked as MonikerLink by Check Point, is being exploited in the wild. As for CVE-2022-23748, the cybersecurity company disclosed in late 2022 that it observed the ToddyCat threat actor leveraging a DLL side-loading vulnerability in Audinate Dante Discovery (“mDNSResponder.exe”).
Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary updates by February 27, 2025, under Binding Operational Directive (BOD) 22-01 to safeguard against active threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this