{"id":3189,"date":"2025-05-06T15:42:23","date_gmt":"2025-05-06T14:42:23","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=3189"},"modified":"2025-05-11T17:50:56","modified_gmt":"2025-05-11T16:50:56","slug":"latest-cybersecurity-alert-sap-netweaver-faces-second-attack-wave-following-zero-day-breach","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/latest-cybersecurity-alert-sap-netweaver-faces-second-attack-wave-following-zero-day-breach\/","title":{"rendered":"Latest Cybersecurity Alert: SAP NetWeaver Faces Second Attack Wave Following Zero-Day Breach"},"content":{"rendered":"


\n

<\/p>\n
\n

Second Wave of Attacks Hitting SAP NetWeaver After Zero-Day Compromise<\/h1>\n

SAP NetWeaver, a technical foundation which supports all SAP applications, has once again become the target of threat actors.<\/p>\n

The popular platform is experiencing a resurgence in cyber attacks, exploiting the webshells deployed during a recent zero-day vulnerability incident.<\/p>\n

Attack Overview<\/h2>\n

SAP NetWeaver first came under fire when a zero-day vulnerability, CVE-2020-6287, also known as ‘RECON’ (Remotely Exploitable Code On Netweaver), was discovered.<\/p>\n

This vulnerability allowed unauthenticated attackers full access to affected SAP applications.<\/p>\n

Now, a second wave of attacks has been detected, having been launched from the webshells established during the initial zero-day exploit.<\/p>\n

In this second round of malicious activity, the cyber criminals are sharing and selling access to compromised SAP servers on the darknet, suggesting this may evolve into a cascading network of threats.<\/p>\n

Threat Details<\/h2>\n

Unlike the initial attack, which had a broad range of targets, the second wave appears focused on certain industries, including governmental, manufacturing and insurance sectors.<\/p>\n

Although the reason behind this targeted approach is not known, it further magnifies the seriousness of the issue.<\/p>\n

Advice and Measures<\/h2>\n

SAP NetWeaver companies must act swiftly and decisively to mitigate these risks.<\/p>\n

Immediate patching of the RECON vulnerability is of prime importance, followed by a thorough investigation to identify and remove any installed webshells.<\/p>\n

Crimes must be reported to the relevant authorities and prompt notification of the security breach is necessary to all relevant stakeholders.<\/p>\n

The increasing trend and sophistication of these attacks serve as a stark reminder for companies to routinely inspect their digital assets, patch vulnerabilities promptly, and employ robust cybersecurity defenses.<\/p>\n

Awareness and vigilance can go a long way in combating these threats.<\/p>\n

Follow-Up Reading<\/h2>\n