SAP NetWeaver vulnerabilities escalate, marking a new phase in threat actions
### Urgent Alert: Widespread Exploitation of High-Risk SAP Vulnerability CVE-2025-31324
In a significant cybersecurity development, a critical zero-day vulnerability in SAP NetWeaver Visual Composer Framework has been discovered and actively exploited by threat actors. This remote code execution (RCE) vulnerability, identified as CVE-2025-31324, allows unauthenticated attackers to upload and execute arbitrary files, potentially leading to complete system compromise.
### Affected Systems and Industries
The vulnerability affects SAP NetWeaver Visual Composer Framework versions 7.1x and above, posing a significant risk to organisations that rely on SAP NetWeaver for mission-critical operations. Industries heavily relying on SAP solutions, such as finance, healthcare, manufacturing, and government, have been targeted.
### Severity and CVSS Score
The vulnerability has a CVSS score of 10.0, indicating a critical severity level. It poses significant risks to the confidentiality, integrity, and availability of affected systems.
### Confirmed Compromises and Threat Actors
While specific confirmed compromises are not detailed, the active exploitation suggests widespread impact across industries. The nature of the exploitation suggests sophisticated attackers capable of deploying webshells and command-and-control frameworks.
### Mitigation and Response
Organisations are strongly advised to apply patches and conduct thorough vulnerability assessments to prevent potential compromises. SAP's recent patch releases address several critical vulnerabilities, including updates relevant to SAP NetWeaver.
Active monitoring and detection tools can help identify and respond to exploitation attempts. For instance, security firms like Darktrace offer such tools.
### Additional Developments
- The exploit for CVE-2025-31324 is publicly available, and it has been actively exploited by threat actors to deploy webshells and achieve full system compromise. - The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating verified active threats and encouraging immediate patching and mitigation measures. - The threat activity is more serious than originally known, with hackers starting their initial probing for vulnerable SAP systems in January, two months earlier than previously thought. - Researchers found a network impersonating Cloudflare certificates across more than 787 IP addresses, hosted mainly on Alibaba, Tencent, and Huawei cloud. - Analysts observed live exploitation using SuperShell, Cobalt Strike, SoftEther VPN, and multiple Chinese language penetration-testing tools. - SAP is urging all customers to update their systems with the emergency patch released on April 24. Additionally, SAP has released an update with a workaround to remove the application from unpatchable systems in late April. - While the vulnerability was originally disclosed by researchers at Reliaquest, further investigation by Forescout researchers has identified a new China-based threat actor, Chaya_004, exploiting the SAP flaw. However, the threat actor Chaya_004 is more likely to be criminal than state-sponsored, according to Forescout researchers.
- The ongoing exploitation of the critical zero-day vulnerability, CVE-2025-31324, in SAP NetWeaver Visual Composer Framework, poses a significant threat to privacy and cybersecurity, especially in industries like finance, healthcare, manufacturing, and government.
- In response to the active exploitation of this vulnerability, cybersecurity agencies and organizations are urging immediate patches, thorough vulnerability assessments, and the use of active monitoring and detection tools to prevent potential system compromises.
