{"cve":{"cve_id":"CVE-2024-57968","is_kev":true,"kev_date_added":"2025-03-10","kev_vendor_project":"Advantive","kev_product":"VeraCore","kev_vulnerability_name":"Advantive VeraCore Unrestricted File Upload Vulnerability","kev_short_description":"Advantive VeraCore contains an unrestricted file upload vulnerability that allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.","kev_required_action":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","kev_due_date":"2025-03-31","kev_known_ransomware":false,"kev_notes":"https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1 ; https://nvd.nist.gov/vuln/detail/CVE-2024-57968","kev_cwes":["CWE-434"],"epss_score":0.30338,"epss_percentile":0.97987,"epss_as_of":"2026-06-23","description":"Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.","published_at":"2025-02-03T00:00:00Z","last_modified_at":null,"cvss_v3_score":9.9,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":false,"ssvc_technical_impact":"total","cwes":["CWE-434"],"nvd_references":["https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1","https://intezer.com/blog/research/xe-group-exploiting-zero-days/","https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-29T02:18:43.743904Z"},"effective_severity":"CRITICAL","badges":["kev"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"C","value_label":"Changed"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"advantive","vendor_name":"Advantive","product_slug":"veracore","product_name":"VeraCore","version_start":"0","version_start_inclusive":true,"version_end":"2024.4.2.1","version_end_inclusive":false,"cpe23_uri":"cve5:advantive:veracore:0:2024.4.2.1"}],"exploit_refs":[],"news":[],"references":[{"url":"https://advantive.my.site.com/support/s/article/VeraCore-Release-Notes-2024-4-2-1","source_type":"MISC","tags":[]},{"url":"https://intezer.com/blog/research/xe-group-exploiting-zero-days/","source_type":"MISC","tags":[]},{"url":"https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2025-02-03T00:00:00Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2025-03-10T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"cvss_changed","at":"2026-06-28T17:39:39.499577Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:39:39.499577Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:39:39.499577Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"ssvc_changed","at":"2026-06-29T02:18:43.743904Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T02:18:43.743904Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T02:18:43.743904Z","label":"SSVC decision revised","source":"vulnrichment"}]}