🚨 SAP NetWeaver: Details on a Common Weaponization Timeline

As mentioned in the May CrowdSec VulnTracking report, #SAPNetWeaver (CVE-2025-31324) was a very interesting case study that highlighted the fact that mainstream malicious actors and legitimate security scanners depend on the same PoCs/write-ups to act. Let’s dive into the timeline and key findings.

🔑 Key findings
🔹 Early reports suggest that a select group of highly skilled attackers weaponized the vulnerability before its public disclosure, but mass exploitation began immediately after the exploit details surfaced.
🔹 Common scanning companies were flagged looking for this vulnerability. The first to take action by order of appearance were cert.pl, hadrian.io, and stretchoid, the latter one being still active today and accountable for most of the volume

ℹ️ About the exploit
A critical zero-day vulnerability (CVSS 10.0) was identified in SAP NetWeaver's Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, leading to remote code execution with high privileges.

🔎 Trend analysis
🔹 First Publish Date (April 24, 2025): Vulnerability disclosed; no public exploits available.
🔹 CrowdSec Network Monitoring Begins (April 26, 2025): No public exploits exist yet, but we deployed a detection rule. Early probes came from advanced actors, 37% used new, disposable infrastructure, while 63% linked to known threats. Alert volume remains very low.
🔹 First Public Exploit (April 29, 2025): Scanning activity skyrockets, nearly 50x the original volume, as public exploits emerge. Both botnets and internet-wide scanners (“the usual suspects” and industry surface management providers) started intensive scanning. At this time, benign actors account for over 50% of scanning activity.
🔹 Following weeks: Slowly, malicious actors decrease in volume of exploitation as they move to other vulnerabilities. Only benign actors remain and account for 90% of the traffic volume.

✅ How to protect your systems
🔹 Patch: Apply SAP Security Note immediately.
🔹 Preemptive blocking: Stay protected in real-time with top-tier blocklists that you can plug in minutes into the most popular security solutions, such as Fortinet.
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity: https://www.crowdsec.net/integrations

For more information, visit crowdsec.net

Want to stay ahead of the latest cyber threats? Get our weekly Threat Alert Newsletter delivered straight to your inbox, along with critical threat updates and trending cybersecurity insights.

📩 Sign up now for exclusive access: https://contact.crowdsec.net/threat-alert

Warnung vor Angriffen auf neue #SAP-#Netweaver-Lücke, #Chrome und #Draytek-Router | Security https://www.heise.de/news/Warnung-vor-Angriffen-auf-neue-SAP-Netweaver-Luecke-Chrome-und-Draytek-Router-10385563.html #Patchday #SAPNetweaver #Vigor2960 #Vigor300B #DraytekVigor2960 #DraytekVigor300B #Google :google: #GoogleChrome #ChromeBrowser

SAP NetWeaver has a gaping security flaw, and threat actors are already exploiting it to gain full control of systems. If you're relying on NetWeaver, now's the time to patch up—can your defenses handle this risk?

https://thedefendopsdiaries.com/understanding-the-threat-cve-2025-31324-and-its-impact-on-sap-netweaver/

#sapnetweaver
#cve202531324
#ransomware
#cybersecurity
#infosec

SAP NetWeaver is under fire: a flaw with a perfect risk score is letting hackers upload malicious files and execute remote code. Are your systems safe? Dive in to learn more.

https://thedefendopsdiaries.com/understanding-the-critical-sap-netweaver-vulnerabilities-and-their-impact/

#sapnetweaver
#cybersecurity
#vulnerabilitymanagement
#remotecodeexecution
#infosec

SAP NetWeaver users, take note: a critical flaw is letting hackers gain remote control with malicious file uploads—and it's already being exploited by Chinese threat actors. Is your system protected?

https://thedefendopsdiaries.com/understanding-the-cve-2025-31324-vulnerability-in-sap-netweaver-servers/

#cve202531324
#sapnetweaver
#cybersecurity
#chinesehackers
#remotecodeexecution

🚨 A vulnerability in SAP NetWeaver Visual Composer is under active exploitation

🔍 Vulnerability: Unauthenticated file upload flaw in NetWeaver Visual Composer

💥 Impact: Potential unauthorized code execution and full system compromise

🔑 CVE: CVE-2025-31324

🛡️ Remediation:
- Turn off Visual Composer if it is not used
- Apply the latest security update
- Restrict access to /developmentserver/metadatauploader.

#cybersecurity #SAPNetWeaver #vulnerabilitymanagement

https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/

SAP NetWeaver’s new flaw lets attackers sneak in malicious files—over 1,200 systems, including major Fortune 500 companies, are at risk. Is your server one of them? Find out how to lock it down.

https://thedefendopsdiaries.com/understanding-and-mitigating-the-cve-2025-31324-vulnerability-in-sap-netweaver/

#cve202531324
#sapnetweaver
#cybersecurity
#vulnerabilitymanagement
#infosec

SAP NetWeaver is under attack—an unauthenticated file upload flaw is letting hackers run code remotely. With systems already being breached, is your enterprise ready to patch this ticking time bomb?

https://thedefendopsdiaries.com/addressing-cve-2025-31324-a-critical-sap-netweaver-vulnerability/

#sapnetweaver
#cve202531324
#cybersecurity
#vulnerabilitymanagement
#remotecodeexecution

🚨 ALERT: Critical SSRF Vulnerability (CVE-2021-33690) discovered in #SAPNetWeaver. High risk, CVSS score 9.9. Users of versions 7.11 to 7.50, apply SAP's approved patches immediately. Stay vigilant. More info: https://redrays.io/cve-2021-33690-server-side-request-forgery-vulnerability/ #CyberSecurity #SSRF #Vulnerability