Recent findings suggest that the XE Group, a Vietnam-linked hacking collective, has exploited zero-day vulnerabilities in VeraCore (CVE-2024-57968 and CVE-2025-25181) to deploy reverse shells and maintain stealthy access to targeted systems. This represents an evolution in their tactics, which previously focused on credit card data theft and supply chain attacks. Organizations are urged to leverage solutions such as SOC Prime Platform to enhance their defenses. Affected: VeraCore, Cybersecurity sector
Keypoints :
- XE Group has been active for over a decade, focusing on cyber threats.
- The group exploited VeraCore zero-day vulnerabilities CVE-2024-57968 and CVE-2025-25181.
- They deployed both reverse shells and web shells for unauthorized access.
- Threat actors have increasingly utilized new exploits since early 2025.
- SOC Prime Platform offers Sigma rules for detection of XE Group attacks.
- Vulnerability CVE-2024-57968 has a CVSS score of 9.9, allowing file uploads to unintended directories.
- CVE-2025-25181, with a CVSS score of 5.8, facilitates SQL injection attacks.
- XE Group’s tactics have evolved to include long-term persistence in breached systems.
- Organizations are encouraged to proactively defend against such evolving threats.
MITRE Techniques :
- T1210 – Exploitation of Remote Services: Used to exploit VeraCore zero-day vulnerabilities for unauthorized access.
- T1190 – Exploit Public-Facing Application: Targeted VeraCore applications to deploy web shells.
- T1071 – Application Layer Protocol: Utilized for command and control operations via web shells.
- T1505 – Server Software Component: Used tactics involving the deployment of malicious web shells for persistence.
- T1193 – Spear Phishing: Initially involved in compromise through supply chain attacks targeting credential theft.
CVE :
- [Vulnerability] CVE-2024-57968
- [Vulnerability] CVE-2025-25181
Full Story: https://socprime.com/blog/detect-xe-group-attacks/