CyberSecurity news
FlagThis
Ddos@securityonline.info
//
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells.
The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise.
ImgSrc: securityonline.
References :
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells.
The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise.
ImgSrc: securityonline.
Share:
References :
- fortiguard.fortinet.com: FortiGuard Threat Signal Report on SAP Netweaver Zero-Day
- The DefendOps Diaries: TheDefendOpsDiaries on SAP NetWeaver Vulnerabilities
- The Hacker News: The Hacker News article on China-Linked APTs exploiting SAP CVE-2025-31324
- Blog: Second zero-day in SAP NetWeaver actively exploited
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- EclecticIQ Blog: EclecticIQ analysts report that in April 2025, China-nexus APTs exploited SAP NetWeaver vulnerabilities to target critical infrastructures globally, leveraging CVE-2025-31324 for remote code execution and maintaining persistent access.
- The DefendOps Diaries: Understanding the Threat: CVE-2025-31324 and Its Impact on SAP NetWeaver
- Onapsis: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- Secure Bulletin: SecureBulletin article on China-Linked APTs exploiting critical SAP NetWeaver vulnerability