Experts Warn Of A Second Wave
```markdown
title: “Critical Alert: Second Wave of Attacks Exploits SAP NetWeaver Vulnerability CVE-2025-31324” categories: [Cybersecurity & Data Protection, Vulnerabilities] tags: [cybersecurity, sap netweaver, zero-day vulnerability] author: Tom date: 2025-05-06 —
TL;DR
- A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver is being actively exploited.
- Attackers are leveraging webshells to gain full control of targeted systems.
- A second wave of attacks has been observed, highlighting the urgent need for patching and vigilance.
Critical Zero-Day Vulnerability in SAP NetWeaver Exploited
In April, ReliaQuest researchers warned about a zero-day vulnerability in SAP NetWeaver, tracked as CVE-2025-31324 with a CVSS score of 10/10. This flaw affects thousands of internet-facing applications, posing a significant risk to organizations using SAP systems.
Understanding the Vulnerability
The vulnerability stems from insufficient authorization checks in the SAP NetWeaver Visual Composer Metadata Uploader. This allows unauthenticated attackers to upload and execute malicious files, potentially leading to full system compromise. SAP addressed this issue with the April 2025 Security Patch Day release.
Initial Discovery and Exploitation
ReliaQuest researchers discovered the vulnerability during investigations into multiple attacks. Attackers exploited the Metadata Uploader to upload JSP webshells using crafted POST requests, which were then executed with GET requests to gain control. These webshells, often named “helper.jsp” or “cache.jsp,” enabled remote command execution and file uploads.
Sophisticated Attack Methods
The attackers deployed webshells with capabilities reused from a public GitHub RCE project. One variant involved the use of Brute Ratel and Heaven’s Gate to enhance stealth and control, indicating a sophisticated threat aimed at full system compromise and data theft. The delayed follow-up after initial access suggests the attacker may be an initial access broker, likely selling access via VPN, RDP, or vulnerabilities on forums.
Second Wave of Attacks
Onapsis researchers observed a second wave of attacks exploiting the same vulnerability. According to their report, follow-up attackers are using previously established webshells from the prior campaign to stage new attacks. Onapsis, in collaboration with Mandiant, released an open-source scanner to detect exploitation attempts for CVE-2025-31324 and provided an updated YARA rule to improve detection.
Government Response
At the end of April, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to patch it by May 20, 2025.
Conclusion
The ongoing exploitation of CVE-2025-31324 highlights the critical need for organizations to apply the necessary patches and remain vigilant against potential attacks. The sophisticated methods employed by attackers underscore the importance of robust security measures and continuous monitoring.
Additional Resources
For further insights, check: