A sophisticated cybercriminal group known as XE Group has been exploiting zero-day vulnerabilities in VeraCore software to deploy malware and steal sensitive data, including credit card information.
The vulnerabilities, identified as CVE-2024-57968 (Upload Validation Vulnerability) and CVE-2025-25181 (SQL Injection), have been exploited since at least 2020, according to researchers from Intezer and Solis Security.
Exploitation Details
XE Group, active since 2013, has a history of targeting supply chains and web-facing applications.
Their latest campaign involves leveraging the VeraCore vulnerabilities to infiltrate companies in the manufacturing and distribution sectors.
The attackers initially gained access through an SQL injection vulnerability (CVE-2025-25181), retrieving valid credentials.
These credentials were then used to exploit the upload validation flaw (CVE-2024-57968), enabling the deployment of malicious webshells.
In one instance, XE Group maintained undetected access to a compromised endpoint for over four years.
Reactivating a previously deployed webshell in 2024, they exfiltrated sensitive configuration files, accessed remote systems, and attempted to execute a Remote Access Trojan (RAT) via obfuscated PowerShell commands.
Evolution of Tactics
Initially focused on credit card skimming and password theft, XE Group has shifted toward exploiting zero-day vulnerabilities for broader data theft.
Their use of customized ASPXSpy webshells allows unauthorized server access, with obfuscation techniques disguising malicious executables as image files.
These webshells enable file system exploration, network reconnaissance, and database manipulation.
The group’s adaptability is evident in their ability to enhance their tools over time.
For example, their newer webshell variants support advanced SQL queries and automated data exfiltration processes.
Notably, XE Group’s infrastructure includes domains such as xegroups[.]com for command-and-control operations.
The exploitation of VeraCore vulnerabilities underscores the risks posed by unpatched software in critical industries.
Although VeraCore’s developer temporarily disabled the vulnerable upload feature in November 2024, no patch has been issued for CVE-2025-25181 as of the Intezer report.
Organizations using VeraCore are advised to implement robust security measures, including regular vulnerability assessments and monitoring for indicators of compromise.
XE Group’s persistence and technical sophistication highlight the need for proactive cybersecurity strategies.
Their ability to exploit unknown vulnerabilities and maintain long-term access to compromised systems represents a significant threat to global supply chains and sensitive data security.
