Hundreds of SAP NetWeaver instances have been compromised through the exploitation of a recently disclosed zero-day vulnerability that can lead to remote code execution (RCE).
The issue, tracked as CVE-2025-31324 (CVSS score of 10/10), was flagged as exploited on April 22, two days before SAP released patches for it, warning that it allows attackers to upload malicious executables to vulnerable servers.
Enterprise application security firm Onapsis has been investigating the attacks together with Mandiant and said this week that threat actors were revisiting compromised NetWeaver servers to leverage previously deployed webshells for follow-up activities.
On Thursday, the cybersecurity firm told SecurityWeek that it is currently tracking hundreds of SAP instances worldwide that have been actively compromised from the exploit.
“Onapsis and Mandiant are seeing exploitation across industries and geographies, including confirmed compromises at energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail and government organizations,” Onapsis said.
Analysis of a real-world exploit, the cybersecurity firm says, has revealed that threat actors had been targeting the bug to obtain RCE since January 20, 2025, when they first started probing vulnerable systems.
Publicly discussed webshells, Onapsis warns in an updated technical blog post, were likely uploaded to vulnerable servers after other RCE commands were executed during the reconnaissance phase of the initial attacks. The bug is not limited to arbitrary file uploads, as initially believed.
“The observed exploit demonstrates highly-advanced knowledge of SAP from the threat actor group responsible,” Onapsis notes.
The cybersecurity firm urges defenders to update their playbooks, warning that “living-off-the-land compromise and persistence is possible without webshells”. Threat actors have been sending POST, HEAD, or GET requests to the vulnerable component to execute arbitrary commands remotely.
Mandiant and Onapsis have updated their open source scanner to reflect the latest findings and help organizations better hunt for indicators of compromise (IoCs).
“Patching for CVE-2025-31324, mitigation if you are unable to patch, and – if exposed – compromise assessment should all be critical priorities,” Onapsis says.
While a second wave of attacks against previously compromised servers was mostly opportunistic in nature, Forescout on Thursday linked a more recent attack campaign targeting CVE-2025-31324 – one that started on April 29 – to a Chinese threat actor tracked as Chaya_004.
Related: Possible Zero-Day Patched in SonicWall SMA Appliances
Related: Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
Related: Android Update Patches FreeType Vulnerability Exploited as Zero-Day