CVE-2024-57968 Overview
CVE-2024-57968 is an unrestricted file upload vulnerability affecting Advantive VeraCore versions before 2024.4.2.1. The flaw allows remote authenticated users to upload files to unintended folders through upload.aspx, including directories accessible to other users during web browsing. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after the XE Group threat actor leveraged it in active intrusions. The vulnerability is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type and impacts the confidentiality, integrity, and availability of affected systems.
Critical Impact
Authenticated attackers can place arbitrary files into web-accessible directories, enabling webshell deployment and follow-on remote code execution on VeraCore servers.
Affected Products
- Advantive VeraCore versions prior to 2024.4.2.1
- VeraCore deployments exposing the upload.aspx endpoint
- Order management and warehouse management environments running vulnerable VeraCore builds
Discovery Timeline
- 2025-02-03 - CVE-2024-57968 published to the National Vulnerability Database
- 2025-11-04 - Last updated in the NVD database
- Reported as exploited in the wild by the XE Group threat actor per Intezer research and Solis Security analysis
- Listed in the CISA Known Exploited Vulnerabilities catalog
Technical Details for CVE-2024-57968
Vulnerability Analysis
VeraCore's upload.aspx handler fails to constrain the destination path supplied during file upload operations. Authenticated users can direct uploads outside the intended storage location and into web-accessible folders served by Microsoft Internet Information Services (IIS). When attackers upload server-executable content such as ASPX webshells, the IIS worker process executes the file on subsequent HTTP requests. This converts an authenticated upload primitive into remote code execution under the application pool identity. The XE Group threat actor combined this flaw with an SQL injection vulnerability in VeraCore to gain initial access and persist on victim networks, according to public research.
Root Cause
The root cause is missing validation of the upload destination path and insufficient checks on uploaded file types. The application accepts user-controlled directory parameters without enforcing an allowlist of safe storage locations. It also fails to block server-executable extensions such as .aspx, .ashx, and .asp. These omissions align with [CWE-434], Unrestricted Upload of File with Dangerous Type.
Attack Vector
Exploitation requires valid VeraCore credentials but no user interaction beyond the attacker's session. The attacker authenticates to the application, issues a crafted POST request to upload.aspx, and specifies a target path inside the web root. The attacker then requests the uploaded file over HTTP to trigger code execution. The vulnerability mechanism is documented further in the Advantive Release Notes for 2024.4.2.1.
Detection Methods for CVE-2024-57968
Indicators of Compromise
- Unexpected .aspx, .ashx, or .asp files appearing under VeraCore web directories or static asset folders
- POST requests to upload.aspx followed by GET requests to newly created files in atypical paths
- Child processes such as cmd.exe, powershell.exe, or w3wp.exe spawning under the VeraCore application pool identity
- Network egress from the VeraCore host to infrastructure attributed to the XE Group in Intezer's research
Detection Strategies
- Inspect IIS logs for POST requests to upload.aspx containing directory traversal sequences or paths outside the intended upload folder
- Hunt for ASPX files created in VeraCore web roots with modification timestamps that do not match deployment events
- Correlate authenticated VeraCore sessions with file creation events and subsequent HTTP GETs to those files
- Baseline expected child processes of w3wp.exe and alert on shell or scripting interpreter launches
Monitoring Recommendations
- Enable file integrity monitoring on VeraCore web directories and alert on creation of executable content
- Forward IIS, Windows process, and EDR telemetry to a centralized analytics platform for correlation
- Monitor authentication logs for anomalous VeraCore logins, including new source IPs and off-hours access
- Track outbound connections from VeraCore servers and alert on traffic to unrecognized hosts
How to Mitigate CVE-2024-57968
Immediate Actions Required
- Upgrade Advantive VeraCore to version 2024.4.2.1 or later as published in the vendor release notes
- Audit VeraCore web directories for unauthorized .aspx or script files and remove confirmed webshells
- Rotate credentials for all VeraCore accounts, especially privileged and service accounts
- Review IIS and application logs covering the period before patching for signs of exploitation
Patch Information
Advantive addressed CVE-2024-57968 in VeraCore release 2024.4.2.1. Patch details are available in the Advantive VeraCore Release Notes 2024-4-2-1. Federal civilian agencies are required to remediate this vulnerability under the CISA KEV directive.
Workarounds
- Restrict network access to VeraCore management interfaces using firewall rules and VPN-only access
- Configure IIS request filtering to block execution of script extensions inside upload directories
- Apply least-privilege permissions to the VeraCore application pool identity to limit post-exploitation impact
- Disable or tightly scope VeraCore accounts that do not require upload functionality
# IIS request filtering example to deny script execution in upload paths
appcmd set config "Default Web Site/VeraCore/Uploads" /section:handlers /accessPolicy:Read
appcmd set config "Default Web Site/VeraCore/Uploads" -section:system.webServer/security/requestFiltering /fileExtensions.[fileExtension='.aspx'].allowed:false /commit:apphost
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
