Compromised SAP NetWeaver instances are ushering in opportunistic threat actors

A second wave of attacks against the hundreds of SAP NetWeaver platforms compromised via CVE-2025-31324 is underway.

“[The] attacks [are] staged by follow-on, opportunistic threat actors who are leveraging previously established webshells (from the first zero-day attack) on vulnerable systems,” Onapsis warned last week.

The second wave of attacks

CVE-2025-31324 is a vulnerability in SAP NetWeaver’s Visual Composer tool that allows unauthenticated attackers to:

• Upload malicious files to the host system by sending carefully crafted POST requests to the /developmentserver/metadatauploader URL (endpoint)
• Execute commands with administrative permissions

SAP released an emergency patch for CVE-2025-31324 on April 24, 2025, but several security companies – including ReliaQuest, Rapid7, Onapsis, Mandiant (Google) – have detected intrusions that go back to March 2025, and related reconnaissance activity going back to January 2025.

“Some organizations have reported to Onapsis seeing successful compromises deploying webshells in March 2025, specifically between March 14th and March 31st. Mandiant noted that their first known exploitation via incident response occurred on March 12, 2025,” Onapsis researchers said.

In the first wave of attacks, ending around April 30, the original attackers deployed webshells on compromised SAP NetWeaver instances. In this second wave, other attackers have started leveraging the webshells placed by the original attackers, possibly confirming the initial theory that the webshell-dropping threat actor was an initial access broker.

Researchers from Forescout’s Vedere Labs have also uncovered and mapped malicious infrastructure belonging to one of the opportunistic threat actors involved in the second-stage attacks, and found a variety of tools used by them.

“The use of Chinese cloud providers and several Chinese-language tools points to a threat actor likely based in China, which we dubbed Chaya_004,” they said.

Patch and investigate

Admins have previously been advised to apply the patch provided by SAP or to restrict access to the Metadata Uploader component if patching is not possible or a patch is not available. (SAP NetWeaver Application Server Java 7.40 and earlier versions don’t get updates anymore.)

Removing internet access to their SAP platform is not a complete solution.

“The only thing that will change if the SAP application is not Internet-facing is the frequency of exploitation,” Onapsis researchers pointed out.

“Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability and tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.”

Unused web services – including Visual Composer – should be disabled and unused applications removed, especially if patching is impossible.

But it’s also important for organizations to investigate whether their SAP NetWeaver instances have been accessed and compromised by the attackers.

Mandiant and Onapsis have released and are regularly updating an open source scanner organizations can use to identify indicators of compromise associated with active in-the-wild exploitation of CVE-2025-31324 in their environment, but have warned that an “all-clear” result does not mean that an intrusion did not happen: “Sophisticated attackers often clean up evidence of their intrusion while deploying rootkits and leveraging techniques to evade detection.”

Onapsis researchers also discovered that the webshells were likely uploaded (via remote code execution) after other RCE commands were executed during the reconnaissance phase.

“This means that ‘living-off-the-land’ compromise and persistence is possible without webshells,” they noted, so defenders need to adjust incident response playbooks accordingly.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!