A recently disclosed zero-day vulnerability has lead to repeated attacks against SAP NetWeaver. This vulnerability, tracked as CVE-2025-31324, can enable remote code execution (RCE) and has been given a CVSS score of 10.0. 

Investigations of these attacks have revealed that malicious actors are returning to compromised NetWeaver servers to exploit webshells that were deployed prior, allowing them to engage in follow-up activities. Currently, hundreds of SAP instances, actively compromised from the exploit, are being tracked globally. 

Jonathan Stross, SAP Security Analyst at Pathlock, a Denver, shares, “The scenario is not new, there are also ways of using legitimate system tools for creating shells. On Windows, this includes Living off the Land Binaries (LOLBins); on Unix-based systems, similar tools are cataloged as GTFOBins. For example, certutil.exe, a Windows-native tool for managing certificates, can also be misused to download arbitrary files e.g. shells from remote sources. In the next step of exploit, those programs can also be used to start the downloaded malicious shells or programs.” 

How Should Organizations Protect Against These Threats? 

Stross warns, “It’s only a matter of time before the next incident occurs — this is expected in complex, large-scale software environments. As both the application landscape and the software itself become increasingly fragmented and incorporate a wider array of technologies and concepts, understanding and evaluating the full attack surface becomes more challenging. Staying ahead in the ongoing security race — between defenders and attackers — is difficult even for experienced professionals.”

To mitigate this risk, organizations must take prompt action.

Stross explains what steps organizations must take, sharing, “Immediate actions required to mitigate the risk from CVE-2025-31324: apply SAP Security Note 3594142 without delay, set up blockingrule for external access at the firewall level to affected path (:/developmentserver/metadatauploader), disable Visual Composer (if possible), and conduct a forensic analysis to determine if the vulnerability has been exploited and assess any potential damage. To protect your organization against such threats, an inventory and risk/vulnerability assessment need to be done, and best practices and vendor hardening guides must be followed.”