CyberSecurity news
FlagThis
@onapsis.com
//
The Qilin ransomware-as-a-service (RaaS) group, a Russian-linked threat actor, has been identified as exploiting the critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day exploit allows for unauthenticated remote code execution, posing a significant threat to enterprise systems globally. The vulnerability affects the `/developmentserver/metadatauploader` endpoint and does not properly enforce authentication or authorization, allowing attackers to upload arbitrary files, including web shells, to the server. SAP assigned the vulnerability a CVSS score of 10.0, highlighting the ease of exploitation and potential for full system compromise.
This pre-disclosure exploitation was uncovered during an incident response led by OP Innovate for a major global enterprise. The investigation revealed communication with known Cobalt Strike C2 infrastructure and IP addresses directly linked to Qilin. While recent reports have pointed to China-linked APT groups exploiting the vulnerability, the discovery of Qilin's involvement suggests a broader range of threat actors are actively targeting this flaw. The ease of exploiting CVE-2025-31324, requiring no authentication and exposing the attack surface via standard HTTP(S), makes it particularly dangerous for commonly deployed enterprise SAP environments.
Security researchers are urging SAP administrators to patch immediately to prevent falling victim to CVE-2025-31324. The vulnerability, which allows unauthenticated file uploads and remote code execution (RCE), is being actively exploited in mass attacks. It hit the security world "like a tsunami," with potentially severe consequences for affected organizations. SOC Prime Platform has also released Sigma rules to help detect exploitation attempts linked to Chinese APT groups that target critical infrastructure.
References :
This pre-disclosure exploitation was uncovered during an incident response led by OP Innovate for a major global enterprise. The investigation revealed communication with known Cobalt Strike C2 infrastructure and IP addresses directly linked to Qilin. While recent reports have pointed to China-linked APT groups exploiting the vulnerability, the discovery of Qilin's involvement suggests a broader range of threat actors are actively targeting this flaw. The ease of exploiting CVE-2025-31324, requiring no authentication and exposing the attack surface via standard HTTP(S), makes it particularly dangerous for commonly deployed enterprise SAP environments.
Security researchers are urging SAP administrators to patch immediately to prevent falling victim to CVE-2025-31324. The vulnerability, which allows unauthenticated file uploads and remote code execution (RCE), is being actively exploited in mass attacks. It hit the security world "like a tsunami," with potentially severe consequences for affected organizations. SOC Prime Platform has also released Sigma rules to help detect exploitation attempts linked to Chinese APT groups that target critical infrastructure.
Share:
References :
- onapsis.com: This consolidated threat advisory [TLP:CLEAR] is provided to support defenders in their assessment of exposure and compromise against the active mass exploitation of SAP security vulnerabilities CVE-2025-31324 and CVE-2025-42999.
- op-c.net: CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe.