Cybercrime gang exploited VeraCore zero-day vulnerabilities for years (CVE-2025-25181, CVE-2024-57968)
XE Group, a cybercriminal outfit that has been active for over a decade, has been quietly exploiting zero-day vulnerabilities (CVE-2025-25181, CVE-2024-57968) in VeraCore software, a popular solution for warehouse management and order fulfillment.
According to Intezer and Solis Security researchers, their targets are companies in the manufacturing and distribution sectors.
“In one instance, the group was found to have compromised an organization in 2020, maintaining persistent access to an endpoint for over four years,” Intezer researchers Nicole Fishbein, Joakim Kennedy and Justin Lentz shared.
Who is XE Group?
XE Group is believed to have Vietnamese origins. It’s known for exploiting known vulnerabilities in externally facing web services and platforms and using the achieved access to deploy credit card skimmers and password-stealing malware.
They have also been known for creating fake websites to trick users into revealing personal information, and selling stolen data on the dark web.
“The group utilizes customized ASPXSpy webshells, which provide unauthorized server access, with communication authenticated by unique base64-encoded strings such as ‘XeThanh|XeGroups.’ Obfuscation tactics include disguising executables as PNG files, which, when executed, establish reverse shells communicating with domains like xegroups[.]com,” the researchers noted.
“In 2010, they developed AutoIT scripts for automating email generation and validating stolen credit card data. By 2013, they had created the ‘Snipr’ credential-stuffing toolkit, targeting global point-of-sale systems.”
The most curious thing about these cyberattackers is their continuing use of the XE Group name and certain pseudonyms for domains, variable names, user agents, and various accounts (email, GitHub, social media), which means that they are apparently not overly concerned about concealing their identities or being tied to certain attack activities.
Exploitation of VeraCore zero-day vulnerabilities (CVE-2025-25181 CVE-2024-57968)
Researchers have discovered the compromise of one victim’s IIS server hosting VeraCore’s software in early November 2024, when post-exploitation activity originating from a webshell was detected.
“Upon investigating, Solis Security identified a few unique techniques the threat actor leveraged after gaining access to the system including: the exfiltration of web application config files, attempts to access remote systems, and attempts to execute a Remote Access Trojan (RAT) via obfuscated PowerShell commands to reflectively load shellcode into memory,” Intezer researchers shared.
A subsequent investigation dated the initial compromise of the server to January 2020, when they retrieved valid credentials by leveraging an SQL injection vulnerability (CVE-2025-25181) against the VeraCode application, and then used the credentials to authenticate to it and to exploit an upload validation vulnerability (CVE-2024-57968) within the app to upload a webshell.
The attackers “came back” in 2023, when they used a newer webshell to fetch configuration files from the web application and browse the application’s file directories. In November 2024, after uploading a newer ASPXSpy webshell variant to a different directory, they attempted to perform the actions identified by Solis Security. The webshell also allowed them to perform network and database reconnaissance and manipulation, and exfiltrate files and critical information.
“XE Group’s evolution from credit card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and growing sophistication. Their ability to maintain persistent access to systems, as seen with the reactivation of a webshell years after initial deployment, highlights the group’s commitment to long-term objectives,” Intezer researchers concluded.
The upload validation vulnerability (CVE-2024-57968) has been defanged in November 2024 by VeraCore maker Advantive, which temporarily disabled the vulnerable upload feature. There is currently no publicly available information regarding a patch for CVE-2025-25181.