Unsecured SAP NetWeaver Instances: A Gateway for Emerging Cyber Threats
Compromised SAP NetWeaver instances are ushering in opportunistic threat actors
Illicit cyber activity targeting SAP NetWeaver platforms has surged recently, raising significant concern in the cybersecurity community.
Predatory threat actors are exploiting a vulnerability in SAP NetWeaver’s Visual Composer tool (CVE-2025-31324), allowing them to access sensitive information and disrupt company operations.
This article will provide a more in-depth look at the nature of these attacks and recommendations on how to safeguard your system.
A Look At CVE-2025-31324 Exploit
Onapsis, a cybersecurity firm, issued an alarming alert last week highlighting a second wave of attacks orchestrated by opportunistic threat actors.
These actors are exploiting an earlier weakness in SAP’s NetWeaver platform via a vulnerability designated as CVE-2025-31324.
With this vulnerability, unauthenticated attackers can upload malicious files to the host system which can lead to unauthorized data access, data corruption, and crashes.
Webshells: A Backdoor Entry for Threat Actors
The second wave of these attacks is notable due to how they have been facilitated.
Threat actors are taking advantage of pre-existing webshells established in the initial zero-day attack to wage this wave.
The net result is a devastating compromise of the system still suffering from the earlier vulnerability.
Real-World Examples
A classic case of such exploitation occurred recently with a French retail firm.
The threat actor exploited the SAP CVE-2025-31324 vulnerability to gain initial access.
The actor then used the existing webshells from the glitch to navigate through the retailer’s system, exfiltrating sensitive financial and customer data.
Safeguarding Against the Threats
Considering the severity and frequency of these attacks, immediate actions must be taken to secure one’s SAP NetWeaver platform.
Companies need to update and patch their systems promptly to reduce the possibility of being compromised.
Regular audits to detect anomalies, unusual user behavior, noncompliance issues, and security gaps are crucial for on-going security.
Furthermore, companies must enhance their incident response capabilities to deal with potential threats swiftly and effectively.
Conclusion
In an era where cyber threats are evolving and becoming bolder, we need to stay vigilant.
It’s prudent that businesses using the SAP NetWeaver platform heed this latest security alert and enact measures to secure their systems adequately.
Even though opportunistic threat actors can be crafty, performing regular patch updates, and maintaining robust cybersecurity measures can provide a formidable defense against these threats.
