Second Wave of Attacks Targets SAP NetWeaver

A second wave of cyberattacks is targeting SAP NetWeaver systems through a zero-day vulnerability tracked as CVE-2025-31324, reports Security Affairs. Initially disclosed in April, this flaw has a maximum CVSS score of 10 and impacts the Visual Composer Metadata Uploader component. Threat actors are exploiting the lack of proper authorization checks to upload and execute malicious JSP webshells, compromising systems without needing authentication.

ReliaQuest researchers first identified the exploitation while investigating attacks that successfully breached even patched systems. The attackers used crafted POST and GET requests to deploy and trigger webshells such as "helper.jsp" and "cache.jsp," giving them persistent remote access. Some variants were observed using advanced tools like Brute Ratel and Heaven’s Gate, indicating a high level of sophistication aimed at gaining full control over enterprise SAP environments.

Now, Onapsis researchers have confirmed a resurgence of attacks leveraging the same vulnerability. These follow-up campaigns appear to repurpose webshells planted during the initial wave, suggesting opportunistic exploitation by additional threat actors. The delayed activity after initial access hints that some of the attackers may be initial access brokers selling compromised credentials or access vectors on underground forums.

To support detection and response, Onapsis and Mandiant released an open-source scanner and updated YARA rules to identify indicators of compromise tied to CVE-2025-31324. The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog, and U.S. federal agencies have been ordered to apply patches by May 20, 2025. Organizations using SAP NetWeaver should act quickly to assess exposure, implement patches, and monitor for signs of compromise.