CyberSecurity news
FlagThis
Field Effect@Blog
//
Russian Ransomware-as-a-Service (RaaS) group Qilin exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day flaw, an unauthenticated file upload vulnerability, allowed attackers to gain remote code execution in affected enterprise environments across the globe. The vulnerability affects SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the `/developmentserver/metadatauploader` endpoint, which fails to properly enforce authentication and authorization, which allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server with ease.
SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed.
OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches.
References :
SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed.
OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches.
Share:
References :
- industrialcyber.co: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- The Hacker News: China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
- The DefendOps Diaries: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- Onapsis: SAP defenders were briefed on an active exploitation campaign targeting a critical CVSS 10.0 vulnerability (CVE-2025-31324).
- Blog: Second zero-day in SAP NetWeaver actively exploited
- op-c.net: SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure
- Industrial Cyber: EclecticIQ details Chinese state-backed hackers launch global attacks on critical infrastructure via SAP vulnerability
- onapsis.com: Threat Briefing Report: Critical SAP Vulnerabilities (CVE-2025-31324 and CVE-2025-42999) Under Active Mass Exploitation
- socprime.com: Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure
- SOC Prime Blog: A newly revealed SAP NetWeaver critical vulnerability, an unauthenticated file upload flaw that allows RCE and tracked as CVE-2025-31324, is being actively exploited by several China-linked nation-state groups to attack critical infrastructure systems.
Classification:
- HashTags: #SAPSecurity #Ransomware #Cybersecurity
- Company: SAP
- Target: SAP NetWeaver servers
- Attacker: Qilin
- Product: NetWeaver
- Feature: file upload
- Malware: Frostbite
- Type: 0Day
- Severity: Major