CVE-2025-25181

What is Advantive VeraCore?

Advantive VeraCore is a cloud-based warehouse management system (WMS) and order fulfillment platform used by third-party logistics (3PL) providers, e-commerce fulfillment companies, and distribution centers. VeraCore manages the full order lifecycle: inventory tracking, pick-and-pack workflows, shipping coordination, and customer order status. Its customer base is concentrated in the North American supply chain and fulfillment sector, making it a target for threat actors seeking access to shipping data, customer personally identifiable information (PII), and operational logistics intelligence.

Overview

CVE-2025-25181 is an unauthenticated SQL injection vulnerability in VeraCore's web interface — specifically in timeoutWarning.asp via the PmSess1 session parameter — that allows remote attackers to execute arbitrary SQL commands against the underlying database. It was exploited by XE Group, a Vietnamese cybercriminal threat actor, in targeted campaigns against U.S. manufacturing and distribution companies. The flaw was used in conjunction with CVE-2024-57968 (an unrestricted file upload vulnerability in the same product) to establish persistent web shell access and exfiltrate business-critical data. Fixed in VeraCore 2025.1.1.3.

Affected Versions

Technical Details

CWE-89 (SQL Injection). The timeoutWarning.asp page incorporates the PmSess1 session parameter into a SQL query without adequate sanitization. An unauthenticated attacker can craft a malicious PmSess1 value containing SQL syntax and submit it in a request to the endpoint, causing the database to execute arbitrary commands.

The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) reflects:

• Unauthenticated — no credentials required
• Low complexity — straightforward parameter injection
• Scope: Changed — the database query context crosses a trust boundary (web application to database server)

Depending on database server configuration, successful exploitation can enable reading arbitrary database tables (customer PII, order records, internal credentials), and potentially writing files or executing OS-level commands via database features such as xp_cmdshell on Microsoft SQL Server backends.

Discovery

Vulnerabilities in VeraCore were identified through security research and reported to Advantive. CVE-2025-25181 and the related CVE-2024-57968 (unrestricted file upload) were both disclosed in early 2025 as part of coordinated responsible disclosure.

Exploitation Context

XE Group is a Vietnamese-origin threat actor active since at least 2010, historically associated with payment card skimming and phishing operations targeting retail and financial sectors. In 2024–2025, researchers at Intezer and Sygnia documented XE Group pivoting to supply chain targeting, exploiting both CVE-2024-57968 and CVE-2025-25181 in VeraCore against U.S. manufacturing, distribution, and fulfillment companies.

The group's exploitation pattern involved deploying web shells via the file upload vulnerability for persistent access, then using the SQL injection to enumerate and exfiltrate database contents including customer data, order histories, and internal operational files. The targeting of logistics and fulfillment providers fits a pattern where shipping manifests, customer PII, and inventory data hold commercial value or enable follow-on fraud.

Remediation

1. Upgrade to VeraCore 2025.1.1.3, which patches both CVE-2025-25181 and the related CVE-2024-57968.
2. If immediate patching is not possible, deploy a web application firewall (WAF) rule to block SQL metacharacters and injection patterns in timeoutWarning.asp parameters as a temporary compensating control.
3. Audit database account privileges: the VeraCore application database account should have minimum necessary permissions. Disable xp_cmdshell and similar high-risk database features if not required.
4. Review web server and database access logs for anomalous requests to timeoutWarning.asp with unusual or malformed PmSess1 parameter values.
5. If VeraCore has been internet-accessible and unpatched, conduct a forensic review for web shells, unauthorized accounts, scheduled tasks, and evidence of data exfiltration.
6. Restrict VeraCore administrative interfaces to trusted IP ranges or VPN-only access; internet exposure of the application should be minimized.