Recent reports indicate a resurgence of attacks against SAP NetWeaver instances previously compromised by a critical zero-day vulnerability, CVE-2025-31324, with threat actors utilizing established webshells for further exploitation. Despite patches being released, several vulnerable systems remain at risk, making swift remediation essential for affected organizations. Affected: SAP NetWeaver instances
Keypoints :
- Onapsis reports a second wave of attacks on SAP NetWeaver due to a zero-day vulnerability (CVE-2025-31324).
- The vulnerability has a CVSS score of 10/10 and was disclosed on April 24, 2025.
- Exploitation of this flaw has been linked to initial access brokers and has been ongoing since at least mid-March 2025.
- SAP confirmed the defect allows malicious file uploads to vulnerable servers.
- Threat actors are deploying JSP webshells, facilitating code execution and lateral movement within affected environments.
- Onapsis has released an open-source scanner to assist organizations in identifying indicators of compromise (IoCs) related to this vulnerability.
- The scanner can locate vulnerable systems, IoCs, and suspicious web-executable files, aiding in future threat analyses.
- As of May 5, around 200 internet-accessible NetWeaver instances remain vulnerable to CVE-2025-31324, a significant drop from over 400 in late April.
- CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, advising federal agencies to patch by May 20.
Read More: https://www.securityweek.com/second-wave-of-attacks-hitting-sap-netweaver-after-zero-day-compromise/