Netvora logo
Submit Startup Subscribe
Home About Contact Submit Startup Subscribe

SAP Vulnerability Used in Attacks Since January, Hundreds of Installations Affected

Comment

SAP Vulnerability Used in Attacks Since January, Hundreds of Installations Affected

Netvora May 9, 2025 at 02:30 PM Security
SAP Vulnerability Used in Attacks Since January, Hundreds of Installations Affected

SAP Vulnerability Used in Attacks Since January, Hundreds of Installations Affected

By Netvora Tech News

A critical vulnerability in SAP NetWeaver, for which a patch was released in late April, has been used in attacks since January. The security flaw not only allows for the uploading of arbitrary files but also enables "full remote command execution," according to security firm Onapsis. This vulnerability has been identified in hundreds of compromised SAP installations.

SAP NetWeaver: A Popular Platform at Risk

SAP NetWeaver is a platform used to run SAP applications, which are widely used in many business environments. Recently, Dutch organizations were warned by the Digital Trust Center (DTC) of the Ministry of Economic Affairs about the misuse of this vulnerability. The impact of the vulnerability, designated as CVE-2025-31324, has been rated a 10.0 out of 10.

Attackers' Activities

According to Onapsis, the attackers used the vulnerability between January 20th and February 10th for reconnaissance purposes and testing various "payloads." After February 10th, an increase in exploit attempts was observed. Compromised SAP servers were found to have webshells installed. Webshells allow attackers to maintain access to the server and carry out further attacks.

'Full Remote Command Execution' Capability

Initially, it was thought that the vulnerability only allowed file uploads, and that attackers had uploaded the webshells using this method. However, Onapsis has found that the vulnerability enables "full remote command execution" (RCE), which was used by the attackers to place the webshells. According to Onapsis, the attackers have in-depth knowledge of SAP.

Hundreds of Compromised Servers Identified

Onapsis has identified hundreds of compromised SAP servers across various sectors. The company, along with security firm Mandiant, has released an open-source tool to help organizations check their SAP servers for potential misuse of CVE-2025-31324.

  • The vulnerability, designated as CVE-2025-31324, has a severity rating of 10.0 out of 10.
  • Attackers used the vulnerability between January 20th and February 10th for reconnaissance and testing.
  • Compromised SAP servers were found to have webshells installed, allowing attackers to maintain access and carry out further attacks.
  • Onapsis has identified hundreds of compromised SAP servers across various sectors.

Comments (0)

Leave a comment

Back to homepage

You might also like