A Vietnamese cybercrime organization known as XE Group has been discovered exploiting previously unknown security flaws in the VeraCore software platform to maintain long-term unauthorized access to compromised systems.
According to a joint report by cybersecurity firms Intezer and Solis Security, XE Group has shifted their focus from credit card theft to targeted supply chain attacks in manufacturing and distribution sectors.
The hackers leveraged two major vulnerabilities in VeraCore:
- A critical file upload flaw (CVE-2024-57968) allowing authenticated users to upload malicious files
- An SQL injection vulnerability (CVE-2025-25181) enabling arbitrary database commands
The group deployed sophisticated web shells with capabilities to:
- Navigate through file systems
- Extract and compress sensitive data
- Execute system commands
- Perform network scanning
- Run malicious SQL queries
Researchers discovered that XE Group had been exploiting these vulnerabilities since early 2020, demonstrating their ability to maintain persistent access over extended periods. The attacks also involved deploying Meterpreter payloads to establish connections with attacker-controlled servers.
This marks the first time XE Group has been linked to zero-day exploitation, indicating an evolution in their technical capabilities since their emergence in 2010. The group has previously targeted known vulnerabilities in other platforms like Progress Telerik UI.
"Their targeting of supply chains shows a deep understanding of systemic vulnerabilities," noted researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz in their analysis.
While a patch is available for the file upload vulnerability in VeraCore version 2024.4.2.1, the SQL injection flaw remains unpatched at the time of reporting.