Skip to main content
close search
site logo
Dive Brief

VeraCore zero-day vulnerabilities exploited in supply chain attacks

Cybercriminals maintained access to one victim organization for more than four years.

Published Feb. 11, 2025
By
Contributing Reporter
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol. 3d rendering.
Getty Images via Getty Images

 

Dive Brief:

  • Researchers discovered two active exploits of zero-day vulnerabilities in warehouse management software platform VeraCore.
  • The zero-day flaws were used in cyberattacks by a cybercriminal gang known as XE Group, which was first observed in 2013 and has previously focused on credit card-skimming and password-stealing malware, according to researchers at Intezer and Solis Security, who spotted the attacks.
  • XE Group used the VeraCore vulnerabilities -- which were first exploited as far back as 2020 -- to compromise manufacturing and distribution sector supply chains.

Dive Insight:

The VeraCore zero-day vulnerabilities include CVE-2024-57968, which is a critical upload validation flaw with a CVSS score of 9.9, and CVE-2025-25181, a medium-severity SQL injection flaw with a CVSS score of 5.8. The flaws were discovered after an XE Group attack was identified on Nov. 5, according to a joint blog post from Intezer and Solis.

Threat actors compromised a Microsoft Internet Information Services (IIS) server hosting VeraCore's warehouse management system software, according to the report. Further analysis of the incident revealed the IIS server was first breached in January 2020 through the then-unknown SQL injection zero-day flaw.

XE Group deployed customized webshells, which the researchers described as "highly versatile" tools for maintaining persistent access to victim environments as well as SQL queries. In the case of the compromised IIS server, XE Group had re-used a webshell that had been planted four years earlier.

The cybersecurity vendors warned that XE Group is targeting supply chains in the manufacturing and distribution industries. While XE Group was known for its prolific credit card-skimming operation, the researchers said the gang has increased its capabilities.

"XE Group's evolution from credit card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and growing sophistication," the blog post said. "Their ability to maintain persistent access to systems, as seen with the reactivation of a webshell years after initial deployment, highlights the group's commitment to long-term objectives."

The researchers noted that Advantive released a temporary fix for CVE-2024-57968, which removed the upload feature from VeraCore. It's unclear, however, if CVE-2025-25181 has been patched. 

In response to a Cybersecurity Dive inquiry, an Advantive spokesperson provided this statement: "At this time, there are no known active threats to VeraCore software. Advantive continuously evaluates and enhances security measures to prevent unauthorized access and ensure the highest cybersecurity standards."

Editors' picks

Company Announcements

View all | Post a press release
Whalebone Strengthens APAC Cybersecurity with New Major Telco Partners
From Whalebone
February 11, 2025
c/side's New PCI DSS Dashboard Covers Third-Party Web Script Security
From c/side
January 29, 2025
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.