CVE-2024-57968

What is Advantive VeraCore?

Advantive VeraCore is a Warehouse Management System (WMS) used by fulfillment houses, distribution centers, and manufacturing operations to track inventory, manage warehouse operations, and process orders. It is common in e-commerce fulfillment, specialty retail distribution, and supply chain logistics operations. VeraCore's web interface allows operational staff and sometimes external partners to interact with the warehouse management system. Because WMS platforms integrate with ERP, e-commerce, and shipping systems, their compromise can expose sensitive business data and enable supply chain disruption.

Overview

CVE-2024-57968 is an unrestricted file upload vulnerability (CWE-434) in Advantive VeraCore's upload.aspx endpoint that allows an authenticated attacker with low-level user privileges to upload arbitrary files — including ASPX webshells — to web-accessible directories on the IIS server. The Changed scope (S:C) in the CVSS 9.9 score reflects that the uploaded webshell grants OS-level access beyond the web application boundary. XE Group, a Vietnamese-origin cybercriminal threat actor, exploited this as a zero-day against US manufacturing and distribution companies, chaining it with a companion SQL injection (CVE-2025-25181) for full unauthenticated access.

Affected Versions

Technical Details

The unrestricted file upload (CWE-434) is in VeraCore's upload.aspx endpoint. An authenticated user can upload files without restriction on file type or content. By uploading an ASPX file containing webshell code to a web-accessible directory, the attacker creates a persistent backdoor that executes in the context of the IIS application pool when accessed via HTTP.

XE Group's two-CVE attack chain:

1. CVE-2025-25181 (SQL injection): XE Group used SQL injection to enumerate VeraCore users and dump credentials, obtaining a low-privilege authenticated account
2. CVE-2024-57968 (this CVE): Used the authenticated account to upload an ASPX webshell via upload.aspx to a web-accessible path

The result is persistent, authenticated OS-level access to the VeraCore server and its connected systems.

Webshell persistence: XE Group maintained persistence by uploading webshells to multiple directories and using legitimate VeraCore API endpoints to re-establish access if webshells were discovered and removed.

Discovery

Intezer researchers documented XE Group's exploitation campaign targeting US manufacturing and distribution companies. XE Group (active since 2010) originally focused on credit card skimming before pivoting to supply chain and warehouse software exploitation.

Exploitation Context

XE Group exploited CVE-2024-57968 as a zero-day against US manufacturing and distribution sector organizations. Post-exploitation objectives include data theft and supply chain intelligence. The targeting of WMS platforms reflects XE Group's strategic interest in supply chain visibility — compromising fulfillment and warehouse systems provides insight into product movements, customer orders, and business relationships.

CISA added both VeraCore CVEs (CVE-2024-57968 and CVE-2025-25181) to the KEV catalog simultaneously on March 10, 2025.

Remediation

1. Upgrade to VeraCore 2024.4.2.1 or later. The CISA deadline was March 31, 2025.
2. Audit upload.aspx and file upload directories for unexpected ASPX files that could be webshells — particularly files uploaded between December 2024 and March 2025.
3. Restrict file upload functionality via WAF rules to block upload of executable file types (.aspx, .asp, .php, .exe) even if the application patch cannot be applied immediately.
4. Apply the companion patch for CVE-2025-25181 (SQL injection) — the two CVEs form XE Group's full attack chain.
5. Review VeraCore user accounts for unexpected accounts or accounts with upload access that don't correspond to legitimate users.
6. Monitor web access logs for requests to unexpected ASPX files in web-accessible upload directories.