Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns.
The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it.
In-the-wild exploitation of the bug was observed by cybersecurity firm ReliaQuest on systems that had the latest patches installed and was associated with initial access brokers. According to Mandiant, the flaw had been exploited since at least mid-March 2025.
SAP, which describes the security defect as a missing authorization check in NetWeaver’s Visual Composer development server, confirmed that it was exploited to upload malicious files to specific paths on vulnerable servers.
Threat actors have been targeting vulnerable NetWeaver instances to deploy JSP webshells in a root directory, which has allowed them to deploy additional payloads, execute code, and move laterally in the affected environments.
On Monday, Onapsis warned that it was “seeing a second wave of attacks staged by follow-on, opportunistic threat actors who are leveraging previously established webshells (from the first zero-day attack) on vulnerable systems.”
In collaboration with Mandiant, Onapsis on Friday released an open source scanner to help organizations hunt for indicators of compromise (IoCs) associated with CVE-2025-31324’s exploitation.
The tool can identify vulnerable systems, find IoCs, search for unknown web-executable files in known directories, and collect the suspicious files for future analysis.
As more webshells deployed as part of the widespread exploitation have been identified, the cybersecurity firm on May 5 updated a YARA rule released last week to help organizations identify positive webshell access.
According to data from the nonprofit cybersecurity organization The Shadowserver Foundation, more than 200 internet-accessible NetWeaver instances remain vulnerable to CVE-2025-31324.
The number has nearly halved from April 28, when more than 400 servers were vulnerable, despite a sharp increase to over 3,400 observed before May 1.
The US cybersecurity agency CISA added CVE-2025-31324 to its Known Exploited Vulnerabilities (KEV) catalog on April 29, urging federal agencies to patch it by May 20.
Related: Exploited Vulnerability Exposes Over 400 SAP NetWeaver Servers to Attacks
Related: SAP Patches Critical Code Injection Vulnerabilities
Related: Samsung MagicINFO Vulnerability Exploited Days After PoC Publication
Related: Critical Vulnerability in AI Builder Langflow Under Attack