Compromised SAP Netweaver Instances Are Ushering in Opportunistic Threat Actors
Summary:
A second wave of cyberattacks has emerged targeting SAP NetWeaver systems, involving opportunistic threat actors who are exploiting webshells planted during an earlier zero-day campaign. These webshells were deployed by initial attackers exploiting CVE-2025-31324, a critical vulnerability in the Visual Composer tool within SAP NetWeaver. This flaw allows unauthenticated remote attackers to upload malicious files and execute commands with administrative privileges by sending specially crafted POST requests to the /developmentserver/metadatauploader endpoint. Although SAP released an emergency patch on April 24, 2025, threat intelligence teams from Onapsis, Mandiant, ReliaQuest, and Rapid7 have confirmed that exploitation activity had already begun as early as March, with reconnaissance activity dating back to January. Onapsis reported that some organizations experienced compromises with webshells deployed between March 14 and March 31. Mandiant recorded its first confirmed exploitation during incident response efforts on March 12.
Security Officer Comments:
During the first wave of attacks, threat actors used the CVE-2025-31324 vulnerability to gain initial access and deploy webshells to compromised SAP NetWeaver instances. The second wave involves unrelated or secondary threat actors leveraging those pre-installed webshells to access and control vulnerable systems. This behavior suggests that the initial attackers may have functioned as initial access brokers who provided a foothold for others. Forescout’s Vedere Labs identified malicious infrastructure used by at least one of the groups participating in the second-stage attacks and observed a wide range of tools in use. Indicators such as the use of Chinese cloud service providers and Chinese-language tools suggest that one of the groups, dubbed Chaya_004, is likely based in China.
Suggested Corrections:
Administrators have been advised to apply the patch issued by SAP immediately. If patching is not feasible, organizations are instructed to restrict access to the Metadata Uploader component. However, this recommendation is complicated by the fact that SAP NetWeaver Application Server Java version 7.40 and older versions no longer receive updates. Onapsis has cautioned that simply removing internet exposure is not a sufficient defense, as the vulnerability can also be exploited from within a local network. The frequency of attacks may decrease without internet access, but internal exploitation remains a viable threat vector. Moreover, automated tools are expected to emerge that exploit this vulnerability, and malware or ransomware actors could also incorporate it into their toolsets. Security teams should take immediate action to disable and remove unused services and applications within SAP environments, particularly components like Visual Composer that are not actively used. Beyond patching, organizations must proactively investigate whether their SAP NetWeaver instances have already been compromised. Mandiant and Onapsis have released and continue to update an open-source scanner to help organizations detect indicators of compromise related to active exploitation of CVE-2025-31324.
Link(s):
https://www.helpnetsecurity.com/202...nstances-attacks-opportunistic-threat-actors/
A second wave of cyberattacks has emerged targeting SAP NetWeaver systems, involving opportunistic threat actors who are exploiting webshells planted during an earlier zero-day campaign. These webshells were deployed by initial attackers exploiting CVE-2025-31324, a critical vulnerability in the Visual Composer tool within SAP NetWeaver. This flaw allows unauthenticated remote attackers to upload malicious files and execute commands with administrative privileges by sending specially crafted POST requests to the /developmentserver/metadatauploader endpoint. Although SAP released an emergency patch on April 24, 2025, threat intelligence teams from Onapsis, Mandiant, ReliaQuest, and Rapid7 have confirmed that exploitation activity had already begun as early as March, with reconnaissance activity dating back to January. Onapsis reported that some organizations experienced compromises with webshells deployed between March 14 and March 31. Mandiant recorded its first confirmed exploitation during incident response efforts on March 12.
Security Officer Comments:
During the first wave of attacks, threat actors used the CVE-2025-31324 vulnerability to gain initial access and deploy webshells to compromised SAP NetWeaver instances. The second wave involves unrelated or secondary threat actors leveraging those pre-installed webshells to access and control vulnerable systems. This behavior suggests that the initial attackers may have functioned as initial access brokers who provided a foothold for others. Forescout’s Vedere Labs identified malicious infrastructure used by at least one of the groups participating in the second-stage attacks and observed a wide range of tools in use. Indicators such as the use of Chinese cloud service providers and Chinese-language tools suggest that one of the groups, dubbed Chaya_004, is likely based in China.
Suggested Corrections:
Administrators have been advised to apply the patch issued by SAP immediately. If patching is not feasible, organizations are instructed to restrict access to the Metadata Uploader component. However, this recommendation is complicated by the fact that SAP NetWeaver Application Server Java version 7.40 and older versions no longer receive updates. Onapsis has cautioned that simply removing internet exposure is not a sufficient defense, as the vulnerability can also be exploited from within a local network. The frequency of attacks may decrease without internet access, but internal exploitation remains a viable threat vector. Moreover, automated tools are expected to emerge that exploit this vulnerability, and malware or ransomware actors could also incorporate it into their toolsets. Security teams should take immediate action to disable and remove unused services and applications within SAP environments, particularly components like Visual Composer that are not actively used. Beyond patching, organizations must proactively investigate whether their SAP NetWeaver instances have already been compromised. Mandiant and Onapsis have released and continue to update an open-source scanner to help organizations detect indicators of compromise related to active exploitation of CVE-2025-31324.
Link(s):
https://www.helpnetsecurity.com/202...nstances-attacks-opportunistic-threat-actors/