The threatening actors were observed in the use of several disadvantages in different software products, including the progress of Telerik UI for ASP.net Ajax and Advantive Veracore to give up back projectiles and web -columns and maintain permanently distant access to the broken systems.
Zero exploitation of security deficiencies in Verakore was associated with the actor threats known as Cable groupA group of cybercrime is probably from Vietnamese origin, which is known to be active since 2010.
“The XE group has passed from Skimmymyming Credit to target information about information, which notes a significant shift in their prompt priorities,” Intezer cybersecurity firm – Note In a report published in cooperation with Solis Security.
“Their attacks are now focused on supply chains in production and distribution sectors, using new vulnerabilities and advanced tactics.”
The vulnerabilities in question are below –
- Cve-2024-57968 (CVSS assessment: 9.9) – Unlimited Files with a dangerous type vulnerability that allows remote authenticated users to upload files to unintended folders (recorded in the Veracode version 2024.2.1)
- Cve-2025-25181 (CVSS assessment: 5.8) – Vulnerability of the SQL injection that allows remote attackers to perform arbitrary SQL commands (lack of patch)
Recent Intezer and Solis Security findings indicate that the deficiencies are drawn to deployment Aspxpy Internet shells for unauthorized access to infected systems, in one case, using the CVE-2025-25181 in early 2020. The operation of exploitation was discovered in November 2024.
On the Internet, sinks are equipped with features to list the file system, exfiltrate files and squeeze them through tools such as 7Z. Access is also abused to reset MeterPreter’s useful load, which tries to connect to the server controlled by the actor (“222.253.102 () 94: 7979”) through the Windows socket.
The updated web option also includes many features to facilitate network scanning, command execution, and launch SQL requests to obtain critical information or changing existing data.
While previous attacks set by XE Group weapon Famous vulnerabilities, namely deficiencies in UI Telerik for ASP.NET (Cve-2017-9248 and Cve-2019-18935.
“Their ability to maintain sustainable access to systems, as seen with the reactivation of the network after the years after the initial deployment, emphasizes the commitment of the group to long-term tasks,” said researchers Nicole Fishbain, Joach Kennedy and Justin Lenz.
“By targeting the supply networks in the production and distributed sector, the XE group not only increases the influence of their activity, but also demonstrates an acute understanding of systemic vulnerabilities.”
Cve-2019-18935 that was named In the UK and government agencies in 2021, one of the most exploited vulnerabilities was also subjected to active operation recently, both last month to download the return shell and execute the following reconnaissance commands through cmd.exe.
“While the vulnerability that goes through the UI for ASP.NET AJAX – Note. “This emphasizes the importance of correction systems, especially if they are exposed to the Internet.”
Cisa adds 5 drawbacks to KEV directory
Development occurs as a cybersecurity and infrastructure agency (CISA) added Five disadvantages in safety in known exploited vulnerabilities (Ship) A catalog based on evidence of active operation.
- Cve-2025-0411 (CVSS assessment: 7.0) -7 -zip -Signs of vulnerability on the Internet
- Cve-2022-23748 (CVSS assessment: 7.8) – vulnerability of Dante detection process control
- Cve-2024-21413 (CVSS assessment: 9.8) – Microsoft Outlook Incorrect Input Verification
- Cve-2020-29574 (CVSS assessment: 9.8) – Cyberoamos (CROS) Vulnerability SQL injection
- Cve-2020-15069 (CVSS assessment: 9.8) – vulnerability of overflowing firewall sophos xg
Last week Trend Micro disclosed that Russian cybercrime outfits use CVE-2025-0411 to distribute malicious software for diplomatic fisheries aimed at Ukrainian structures.
On the other hand, the operation of CVE-2020-29574 and CVE-2069 related To the Chinese espionage campaign, which traced Sophos under the nickname Pacific.
Currently, there is no message about how CVE-2024-21413 is also tracked as Monikerlink by Check Point, used in the wild. As for CVE-2022-23748, Cybersecurity Company disclosed At the end of 2022 that he watched Melt The actor threatens uses the vulnerability of DLL, which is loaded into Audinent Dante Discovery (“MDNSRESSPDER.EXE”).
Federal civil executive power (Fceb) The agency was instructed to apply the necessary updates by February 27, 2025 as part of the compulsory operational directive (BOD) 22-01 to protect against active threats.
