Hundreds of SAP NetWeaver instances worldwide have been compromised due to a zero-day vulnerability (CVE-2025-31324) allowing remote code execution. Attackers are actively exploiting this flaw to gain persistent access and deploy webshells. (Affected: SAP NetWeaver systems)
Keypoints :
- Hundreds of SAP NetWeaver instances have been compromised through exploitation of CVE-2025-31324, a critical zero-day flaw.
- The vulnerability enables remote code execution, allowing attackers to upload malicious executables and maintain persistence.
- Threat actors have been revisiting compromised servers to leverage deployed webshells for further malicious activities.
- Exploitation started in January 2025, with attacks observed across multiple industries and geographies.
- Recent attacks have been linked to a Chinese threat group, Chaya_004, beginning in late April 2025.
- Security firms advise organizations to patch immediately, update security playbooks, and conduct compromise assessments.
- Open source scanners have been updated to help detect signs of compromise and mitigate the threat.
Read More: https://www.securityweek.com/sap-zero-day-targeted-since-january-many-sectors-impacted/