Experts Warn of a Second Wave of Attacks Targeting SAP NetWeaver Bug CVE-2025-31324
A second wave of attacks targeting the SAP NetWeaver bug CVE-2025-31324 has been detected, warning experts that thousands of internet-facing applications may be at risk. The vulnerability, which was first reported by ReliaQuest researchers in April, stems from a lack of proper authorization checks in the SAP NetWeaver Visual Composer Metadata Uploader.
The flaw allows unauthenticated attackers to upload malicious executable files to the system, which can be executed on the host system, potentially leading to a full compromise of the targeted SAP environment. Despite SAP's initial patch release in April 2025, researchers have since discovered that some fully patched systems were still vulnerable to exploitation.
SAP systems are high-value targets for attackers due to their use by governments and enterprises, making them an attractive target for malicious actors. ReliaQuest reported the critical vulnerability to SAP, which led to a patch release. However, experts now warn of a second wave of attacks using the same webshells exploited in the initial attack campaign.
The attackers exploited the Metadata Uploader to upload malicious JSP webshells using crafted POST requests, then executed them with GET requests to gain full control of the target systems. All webshells were deployed in the same root directory and had similar capabilities, reusing code from a public GitHub RCE project.
Attackers used the webshells to run system commands via GET requests, upload files, and maintain persistence. One variant used in one of the attacks relied on Brute Ratel and Heaven’s Gate to enhance stealth and control, signaling a sophisticated threat aimed at full system compromise and data theft.
The delayed follow-up after initial access suggests that the attacker may be an initial access broker, likely selling access via VPN, RDP, or vulnerabilities on forums. This week, Onapsis researchers observed a second wave of attacks using the same vulnerability, warning of the potential for widespread exploitation.
Onapsis Releases Open-Source Scanner to Detect Exploitation Attempts
CISA Adds Vulnerability to Known Exploited Vulnerabilities List
The US cybersecurity agency CISA added the vulnerability CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) list at the end of April, ordering federal agencies to patch it by May 20, 2025. This move highlights the urgent need for organizations to prioritize patching and securing their SAP NetWeaver environments.
Stay safe online by following us on Twitter: @securityaffairs and Facebook, and Mastodon.