CISA KEV Catalog Update Part III – March 2025

The Cybersecurity and Infrastructure Security Agency (CISA) recently expanded its Known Exploited Vulnerabilities (KEV) Catalog to include five newly identified vulnerabilities in Ivanti Endpoint Manager (EPM) and Advantive VeraCore Order Management platforms. This update signals active exploitation of these vulnerabilities, emphasizing the urgency for organizations to address them through patching and comprehensive security strategies.

Ivanti Endpoint Manager (EPM) Vulnerabilities

1. Vulnerabilities Added

CISA identified and added the following critical vulnerabilities in Ivanti EPM:

• CVE-2024-13159
• CVE-2024-13160
• CVE-2024-13161

These vulnerabilities are classified as absolute path traversal flaws with each earning a CVSS score of 9.8 (critical severity). Such scores underscore the extensive potential damage an exploit could inflict.

2. Implications

• Path Traversal Exploits: Exploiting these vulnerabilities enables an attacker to manipulate directory traversal mechanisms in Ivanti EPM. This may result in unauthorized access to sensitive files and data.
• Credential Leakage: The exposed data often includes critical system credentials. With this information, attackers can escalate privileges and potentially control the entire enterprise network.
• Compromise of System Integrity: Attackers leveraging these vulnerabilities could gain unauthorized insights into the server’s configuration files, allowing for a complete compromise of operations.

3. Affected Systems

• Vulnerable systems include Ivanti Endpoint Manager 2024 and Ivanti Endpoint Manager 2022 SU6, even with the latest updates released in November 2024. This indicates that prior fixes failed to address the exploited vulnerabilities comprehensively.

4. Evidence of Exploitation

Initially, these vulnerabilities were publicly disclosed with no active exploitation reported. However, in January 2025, researchers at Horizon3.ai released a Proof-of-Concept (PoC) exploit demonstrating the vulnerabilities’ severity and ease of abuse. Subsequent activity confirmed real-world exploitation, prompting CISA to include these vulnerabilities in the KEV Catalog as active threats.

Advantive VeraCore Vulnerabilities

1. Vulnerabilities Added

CISA also identified and included two critical vulnerabilities affecting the Advantive VeraCore Order Management platform:

• CVE-2024-57968: An unrestricted file upload vulnerability allowing attackers to upload malicious files, potentially leading to arbitrary code execution.
• CVE-2025-25181: An SQL injection vulnerability, which permits attackers to execute unauthorized SQL queries through the PmSess1 parameter, affecting data integrity and confidentiality.

2. Technical and Operational Risks

• CVE-2024-57968 (Unrestricted File Upload):
• Attackers can leverage this vulnerability to place malicious executables or scripts in arbitrary directories on the VeraCore platform. If successfully executed, this could enable system-wide compromise, persistent malware installations, or ransomware deployment.
• CVE-2025-25181 (SQL Injection):
• Through improper validation of user inputs, attackers could manipulate database queries. This flaw is particularly dangerous as it can lead to unauthorized access, data exfiltration, and even full database compromise.

3. Exploitation Attribution

The XE Group, a well-documented Vietnamese threat actor collective, has been linked to the exploitation of these vulnerabilities. Their attacks typically involve deploying web shells, reverse shells, and other malicious scripts to establish long-term persistence on compromised systems. Their focus appears to be directed at operational disruptions and credential harvesting.

Broader Implications of the Vulnerabilities

1. Operational Risks

Organizations relying on Ivanti EPM and Advantive VeraCore face immediate and significant risks:

• System Downtime: Path traversal and file upload exploits can disrupt critical operations, rendering systems unresponsive and causing data corruption.
• Ransomware and Malware Deployments: Both the Ivanti and VeraCore vulnerabilities provide attack vectors for ransomware campaigns, emphasizing the potential for significant financial losses.
• Reputational Damage: Successful exploitation of SQL injections or credential theft could result in data breaches with public and legal ramifications, severely impacting organizational reputation.

2. Compliance and Regulatory Concerns

Under CISA Binding Operational Directive (BOD) 22-01, federal agencies are mandated to remediate vulnerabilities in the KEV Catalog by March 31, 2025. Non-compliance could result in penalties or restrictions on federal operations. Moreover, private sector organizations are strongly encouraged to address these vulnerabilities as part of their commitment to cybersecurity best practices and regulatory standards like GDPR, HIPAA, or PCI DSS.

Recommended Mitigation Strategies

1. Patch and Update Systems

• For Ivanti Endpoint Manager, apply the critical updates released in January 2025 immediately. Patching these vulnerabilities is the most effective mitigation strategy.
• For Advantive VeraCore, update to the latest software version addressing CVE-2024-57968 and CVE-2025-25181. Contact Advantive’s support if necessary to ensure patch application.

2. Network Access Controls

• Restrict access to Ivanti EPM and VeraCore interfaces. Only allow access from trusted IPs, and implement Zero Trust Network Architecture to enhance access controls.
• Use firewall rules or network segmentation to isolate these platforms from critical systems to limit potential lateral movement by attackers.

3. Detection and Monitoring

• Deploy Endpoint Detection and Response (EDR) and Intrusion Prevention Systems (IPS) capable of identifying unusual behaviors related to directory traversal, file uploads, or SQL injection attempts.
• Monitor logs and network traffic for indicators of compromise (IoCs), such as unexplained spikes in server load or unauthorized file executions.

4. Secure Software Configuration

• Harden vulnerable platforms by disabling unnecessary services and implementing robust input validation mechanisms.
• Conduct regular penetration testing and vulnerability assessments to ensure timely identification of emerging threats.

5. Incident Response Preparedness

• Develop and routinely test incident response plans tailored for ransomware, SQL injection, and file upload attacks.
• Educate and train IT and security staff to identify early warning signs of exploitation, such as suspicious file changes or sudden database anomalies.

Conclusion

The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities Catalog serves as a stark warning about the dangers of unpatched software in today’s threat landscape. Organizations must prioritize the timely application of patches, adopt advanced monitoring solutions, and implement a multi-layered security posture to mitigate risks associated with these exploits. Failure to act could result in significant operational, financial, and reputational damage, particularly given the increasing sophistication of adversaries like the XE Group.