Critical SAP NetWeaver Vulnerability (CVE-2025-31324): Immediate Action Required

Introduction: A Clear and Present Danger

A critical vulnerability, identified as CVE-2025-31324, requires immediate attention from organizations running SAP NetWeaver. This flaw, affecting the Visual Composer component, carries the maximum possible severity score (CVSS 10.0 CRITICAL) and allows unauthenticated attackers to achieve Remote Code Execution (RCE), potentially leading to complete system compromise.1 Security researchers have confirmed this vulnerability is actively being exploited in the wild, including as a zero-day before patches were available.1 This isn’t a theoretical risk; it’s a tangible threat demanding urgent remediation. Leaving this vulnerability unaddressed is akin to leaving your organization’s digital front door wide open.

Scope & Prevalence: Foundational Tech, Forgotten Component?

SAP NetWeaver serves as the foundational technology platform for a vast array of SAP applications, used extensively across global enterprises and government agencies.1 Estimates suggest tens of thousands of companies utilize SAP NetWeaver, including a significant majority of the world’s largest and most influential organizations.6 While SAP NetWeaver itself is widespread, CVE-2025-31324 specifically impacts the Visual Composer Framework 7.50, particularly its Metadata Uploader component within the /developmentserver/ path.1

Visual Composer is a web-based modeling tool designed for rapid application development without extensive coding.1 While not installed by default in every SAP Java system (e.g., plain Java stacks or default Solution Manager installations might not include it), it has been described as “widely enabled” across existing SAP NetWeaver Application Server Java systems.4 Research suggests it might be present and enabled in 50% to 70% of internet-facing SAP Java applications.3

Critically, Visual Composer has been deprecated since 2015 and is no longer supported.13 This creates a significant risk: organizations may have the vulnerable component installed and running without active use or awareness, making it a “forgotten” but exploitable attack surface. Even if deployed separately after the initial SAP installation, its presence constitutes a major risk.12 The vulnerability affects NetWeaver Java stack versions 7.xx (all Support Packages – SPS) where Visual Composer (VCFRAMEWORK 7.50) is present.4 Older versions, like 7.0 below SP16, were already known to be highly vulnerable (CVE-2021-38163, CVSS 9.9).12

Risk Profile: Unauthenticated Access to the Kingdom

The risk profile for CVE-2025-31324 is severe, reflected in its CVSS 10.0 rating.1 The core danger lies in its unauthenticated nature; attackers require no prior access, username, or password to exploit the vulnerability.1 Exploitation occurs remotely via standard web protocols (HTTP/HTTPS), potentially across the internet if the SAP system is exposed.4

Successful exploitation allows an attacker to upload arbitrary files, typically malicious JSP webshells, to the server.1 These webshells act as backdoors, enabling the attacker to execute commands on the underlying operating system with the privileges of the SAP service user (<sid>adm).4 This level of access effectively grants full control over the compromised SAP system, including:

• Access to sensitive business data (financial records, PII, intellectual property).4
• Modification or deletion of critical data and system files.4
• Execution of arbitrary commands and installation of further malware (e.g., ransomware).4
• Disruption of critical business processes hosted on the SAP system.4
• Using the compromised system as a pivot point for lateral movement within the network.4

The impact is a complete loss of Confidentiality, Integrity, and Availability (CIA) for the affected SAP system and the data it processes.1 Given SAP’s central role in many organizations, this translates directly to significant business risk, potential regulatory non-compliance (e.g., SOX, GDPR), financial loss, and reputational damage.4

Exploitability & Attack Chain: From Upload to Full Control

Exploiting CVE-2025-31324 is considered straightforward.15 Attackers target the /developmentserver/metadatauploader endpoint via HTTP/HTTPS, sending specially crafted POST requests.4 Due to the missing authorization check (CWE-434: Unrestricted Upload of File with Dangerous Type, also related to CWE-862/CWE-306) 2, the system improperly allows the upload of files, such as JSP webshells (e.g., helper.jsp, cache.jsp).1 These files are often placed in publicly accessible web directories like …/servlet_jsp/irj/root/ or …/servlet_jsp/irj/work/.4

Once uploaded, the attacker can trigger the webshell remotely, typically via a simple HTTP GET request to the uploaded file’s URL.9 This provides an interactive command shell or interface running with the high privileges of the SAP system user (<sid>adm).4

Post-Exploitation Sophistication:

Evidence suggests attackers aren’t stopping at simple webshell access. Observed post-exploitation activities demonstrate advanced techniques aimed at persistence, stealth, and deeper network compromise 13:

• Advanced C2 Frameworks: Deployment of the Brute Ratel C4 framework, a commercial-grade red team tool, indicates sophisticated actors.13
• Code Compilation & Injection: Using the legitimate MSBuild.exe utility to compile C# code dropped via the webshell. This compiled code was then used to fetch Brute Ratel and inject it into legitimate Windows processes like dllhost.exe to evade detection.13
• Evasion Techniques: Use of the Heaven’s Gate technique to bypass endpoint security controls by manipulating execution context between 32-bit and 64-bit modes.13 The NtSetContextThread API call was specifically associated with this activity.13
• Initial Access Broker (IAB) Activity: The observed delay between initial webshell deployment and subsequent advanced actions (sometimes days) suggests that IABs may be exploiting the vulnerability to gain initial access and then selling that access to other threat groups.20

These advanced tactics highlight that a compromise via CVE-2025-31324 is likely just the first step in a more significant intrusion aimed at espionage, large-scale data theft, or deploying high-impact malware like ransomware. The use of techniques like process injection and Heaven’s Gate specifically targets common EDR and antivirus defenses. While the initial exploit bypasses authentication (making MFA irrelevant), attackers gaining <sid>adm privileges could potentially disable or manipulate logging mechanisms.4 No public Proof-of-Concept (PoC) code was available at the time of initial reporting, but the active exploitation confirms its viability.5

Mitigation & Detection: Patch, Disable, Restrict, Monitor

Addressing CVE-2025-31324 requires immediate action, prioritizing patching but providing clear fallback options.

Patching:

The definitive solution is to apply the emergency, out-of-band patch released by SAP.1

• SAP Security Note: The patch details are in SAP Security Note #3594142 (requires SAP customer login).4 An FAQ note (#3596125) is also available.4
• Urgency: This patch was released after the standard April 8th, 2025 Patch Day. Applying the regular April patches does not fix this vulnerability.1 The specific emergency patch for #3594142 is required.
• Additional Fixes: This emergency update also patches two other critical code injection flaws: CVE-2025-27429 (S/4HANA) and CVE-2025-31330 (Landscape Transformation), both rated CVSS 9.9.9

Workarounds and Compensating Controls (If Patching is Delayed):

Given that patching complex SAP environments can take time, implement these workarounds immediately:

1. Pre-Mitigation Scan: Before applying workarounds, thoroughly scan SAP systems for existing webshells or indicators of compromise (see Detection below). Remove any malicious files found, as workarounds won’t eject an attacker already present.9
2. Disable Visual Composer (If Unused): Since Visual Composer is deprecated 13 and likely unused in many environments, the most effective workaround is to disable it entirely. This involves disabling the “developmentserver” application alias.13 Guidance can be found in SAP Note 3593336.12 Consider uninstalling the component (Note 3416257 may offer guidance) but still apply the disablement workaround afterward as a precaution.12
3. Restrict Network Access: If Visual Composer cannot be immediately disabled, severely restrict network access to the vulnerable endpoint /developmentserver/metadatauploader using firewalls, Web Application Firewalls (WAFs), load balancers, or SAP Web Dispatcher.9 Test accessibility externally: if https://[your-sap-server]/developmentserver/metadatauploader is reachable without login, the system remains exposed.10

Table 1: Mitigation Strategy

Priority	Action	Details	SAP Note(s)	Pros	Cons
1	Patch	Apply the specific emergency patch for CVE-2025-31324.	3594142 (fix)	Permanent fix, addresses root cause.	Requires testing, potential downtime, may be slow in complex env.
			3596125 (FAQ)
2	Disable Visual Composer	If confirmed unused (likely deprecated), disable the “developmentserver” application alias and/or uninstall the component.	3593336 (disable guide)	Eliminates the attack surface completely.	Requires confirmation VC is unused; potential impact if mistaken.
			3416257 (uninstall?)
3	Restrict Network Access	Block/filter access to /developmentserver/metadatauploader at network perimeter (Firewall, WAF, Load Balancer, Web Dispatcher).	N/A	Blocks external exploit path quickly.	Doesn’t fix vuln; internal threats remain; potential bypasses.
N/A	Pre-Mitigation Scan & Clean	Essential first step before applying Workarounds 2 or 3. Scan for and remove existing webshells/IOCs.	N/A	Removes existing backdoors before locking down.	Requires thoroughness; may miss novel implants.

Detection Strategies:

Implement multi-layered monitoring to detect exploitation attempts and post-compromise activity:

• Network Monitoring (IDS/IPS/WAF/Firewall):

• Alert on HTTP POST requests to /developmentserver/metadatauploader.4 Pay close attention to requests from external/untrusted IPs or those resulting in HTTP 200 success codes without authentication.15
• Monitor for HTTP GET requests targeting .jsp files within the known upload paths (/irj/root/, /irj/work/, etc.).9
• Look for suspicious outbound connections potentially indicating C2 traffic from tools like Brute Ratel.5 Generic webshell communication rules may also trigger.

• Host/Server Monitoring (EDR, File Integrity Monitoring, Manual Scans):

• Scan file systems for unauthorized files with .jsp, .java, or .class extensions in SAP directories: …/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/, …/work/, …/work/sync/.4
• Utilize known IOC hashes for webshells (helper.jsp, cache.jsp) provided by ReliaQuest/Onapsis.4
• Deploy YARA rules for generic webshell detection 25 and consider creating custom rules for specific IOCs.
• Monitor for suspicious MSBuild.exe process execution, especially if compiling code from unusual locations.13
• Detect signs of process injection, particularly targeting dllhost.exe.13
• Monitor for API calls associated with Heaven’s Gate, like NtSetContextThread.13

• SIEM/Log Analysis:

• Ensure SAP NetWeaver application, web server, and security logs are forwarded to a central SIEM.9
• Create alerts for successful unauthenticated access logs related to /developmentserver/metadatauploader.15
• Search for errors or activity related to the execution of suspicious files in web directories.

• Vulnerability Scanning:

• Regularly scan SAP systems using vulnerability management tools with updated checks for CVE-2025-31324. Tenable provides plugins and assigns a Vulnerability Priority Rating (VPR) of 8.1.5
• Utilize Attack Surface Management tools to identify internet-facing SAP NetWeaver instances.5

Table 2: Detection Indicators

 

Indicator Type	Source/Tool	Specific Indicator	Notes
Network Traffic	IDS/IPS/WAF/Firewall Logs	HTTP POST to /developmentserver/metadatauploader	Especially unauthenticated or from untrusted IPs.4
		HTTP GET to .jsp files in /irj/root/, /irj/work/, /irj/work/sync/ paths	Indicates webshell execution attempt.9
		Outbound connections to known C2 IPs/domains (e.g., associated with Brute Ratel)	Requires threat intelligence feeds.5
Host – File System	File Scanner/FIM/YARA/Manual	Presence of .jsp, .java, .class files in /irj/root/, /irj/work/, /irj/work/sync/	Check timestamps, permissions, content.4
		Files matching known IOC hashes (e.g., 1f72bd…, 794cb0…)	Specific webshells observed.4
Host – Process	EDR/Sysmon/Process Monitor	MSBuild.exe compiling C# from unusual paths	Indicates potential payload compilation.13
		Process injection activity (e.g., into dllhost.exe)	Common evasion technique.13
		Use of specific API calls like NtSetContextThread	Associated with Heaven’s Gate evasion.13
Logs	SIEM / Centralized Logs	Successful HTTP 200 logs for unauthenticated access to /developmentserver/metadatauploader	Direct indicator of exploit attempt.15
		Application errors related to execution of files in web directories	May indicate webshell activity.
Vulnerability Scan	Tenable/Qualys/Rapid7/etc.	Detection of CVE-2025-31324	Confirm vulnerability presence. Tenable VPR 8.1.5

Sector Spotlight: Where the Risk Hits Hardest

While any organization using the vulnerable SAP component is at risk, certain sectors face heightened exposure due to their reliance on SAP for critical functions and the sensitivity of the data processed. These include:

• Government: Extensively uses SAP for various functions. Compromise poses risks to national security, public services, and sensitive citizen data.1
• Finance: Relies on SAP for core banking, financial reporting (ERP), and consolidation.15 Exploitation could lead to financial fraud, theft of market-sensitive data, and severe regulatory penalties (e.g., SOX).4
• Healthcare: Uses SAP for patient records (potentially containing PII/PHI), billing, and hospital management.15 Breaches risk patient privacy, large fines (e.g., HIPAA), and disruption of care.
• Manufacturing: SAP underpins supply chain management (SCM), production planning, and ERP systems.7 Attacks could result in intellectual property theft, production stoppages, and supply chain disruption.
• Energy & Critical Infrastructure: SAP systems may control or monitor operational technology (OT) or manage essential resources.5 Compromise carries risks of service disruption, sabotage, and potential safety incidents.
• Retail: Uses SAP for inventory, sales, and customer data management.8 Risks include theft of payment data, customer PII, and operational disruption.
• IT Services / SaaS / MSPs: May use SAP internally or manage SAP environments for clients.6 They represent attractive targets for supply chain attacks, where compromising the provider grants access to multiple downstream customers.

The common thread is the integration of SAP into the core fabric of these organizations. A breach isn’t just an IT problem; it’s a fundamental business crisis.18 Exploiting CVE-2025-31324 could allow attackers to manipulate financial records, steal proprietary designs, halt manufacturing lines, or access vast amounts of sensitive personal data. Furthermore, the complexity and often on-premise nature of many large SAP deployments can slow down patching, leaving organizations exposed for longer periods.1 The observation of attackers potentially using compromised SAP hosts to launch attacks against other entities underscores the potential for cascading impacts beyond the initially breached organization.29

Higher Ed Risk Sidebar: A Unique Set of Challenges

Colleges and universities using SAP NetWeaver face a specific confluence of risk factors related to CVE-2025-31324:

• Legacy & Complex Infrastructure: Higher education institutions often operate a mix of old and new systems. Older, potentially unpatched SAP NetWeaver instances running the vulnerable Visual Composer might exist alongside modern infrastructure.1
• Decentralized IT: IT governance can be fragmented across departments, leading to inconsistent patching schedules, security monitoring gaps, and lack of central visibility into all SAP instances [Implied by Higher Ed structure].
• Resource Constraints: Particularly smaller institutions may lack the dedicated cybersecurity staff and budget of large corporations, potentially delaying the identification and remediation of critical vulnerabilities like this one.30
• Internet Exposure: University portals, often built on or integrated with SAP NetWeaver (e.g., SAP Enterprise Portal), are typically internet-facing to serve students, faculty, and staff, directly exposing them to remote exploitation attempts.14
• Federated Identity Integration: SAP systems might be integrated with campus-wide single sign-on (SSO) or federated identity systems. Compromising a key SAP component could potentially allow attackers to impersonate users, access other connected systems, or disrupt authentication services across the institution.

While specific attacks targeting universities via CVE-2025-31324 weren’t detailed in the source material, the inherent risks associated with SAP vulnerabilities are well-recognized in the sector. Organizations like the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) and EDUCAUSE provide crucial resources, threat intelligence sharing, and assessment tools (like the HECVAT) specifically tailored to help higher education institutions manage cybersecurity risks, including those affecting critical enterprise systems like SAP.30 Universities using SAP NetWeaver should leverage these resources and prioritize assessment and mitigation for CVE-2025-31324.

Should Regular Users Care? Business Risk, Indirect Impact

This vulnerability, CVE-2025-31324, is fundamentally an enterprise security issue. It affects server-side software (SAP NetWeaver Visual Composer) run by organizations, not the software typically found on consumer devices like personal computers, smartphones, or home routers.1 Therefore, individual consumers do not need to take any direct action, such as patching their own devices, to protect themselves from this specific flaw.

However, the distinction between direct and indirect impact is crucial. While consumers don’t run the vulnerable software, they interact daily with businesses and government agencies that do.7 If an organization handling consumer data (e.g., a bank, retailer, healthcare provider, government agency) is compromised via CVE-2025-31324, the attackers could potentially steal sensitive personal information (PII), financial details, or health records.4 In this scenario, consumers suffer the consequences of an enterprise security failure. This vulnerability serves as a potent reminder that the security practices of the organizations we trust with our data have real-world consequences for everyone.

Urgency & Real-World Activity: Exploit Now, Patch Yesterday

The situation surrounding CVE-2025-31324 demands the highest level of urgency.

• Severity: CVSS 10.0 CRITICAL.1 Unauthenticated RCE leading to full system compromise.
• Active Exploitation: Confirmed actively exploited in the wild by multiple reputable security firms.1
• Zero-Day Attacks: Exploitation was occurring before the emergency patch was released, targeting systems that had applied standard monthly patches but were still vulnerable to this specific flaw.1 This proves attackers were leveraging the vulnerability before it was publicly detailed or fixed.
• Sophisticated Actors: Post-exploitation techniques observed suggest involvement of skilled threat actors, possibly including Initial Access Brokers facilitating attacks by other groups.13
• Patch Status: An emergency patch (SAP Note #3594142) is available but was released out-of-band.1 Patch adoption across complex SAP landscapes may be slow, leaving a significant window of exposure.1 The Visual Composer component’s deprecated status increases the likelihood it exists unpatched on some systems.13 SAP initially disputed reports of successful exploitation impacting customer data or systems 9, but multiple independent security firms maintain they observed active exploitation.1

The combination of maximum severity, unauthenticated remote access, confirmed zero-day exploitation, and the potential for complete compromise of mission-critical systems makes this a “drop everything and fix it” scenario. Organizations with potentially vulnerable SAP NetWeaver systems, especially those exposed to the internet, must assume they are targets and act immediately.

Key Takeaways & Recommendations

This vulnerability represents an immediate and critical threat to organizations running affected SAP NetWeaver systems.

• Severity Level: CRITICAL (CVSS 10.0). Unauthenticated Remote Code Execution.
• Core Threat: Attackers can upload webshells via SAP NetWeaver Visual Composer (Metadata Uploader component at /developmentserver/metadatauploader) without needing credentials. This leads to full system compromise with SAP administrator (<sid>adm) privileges.
• Real-World Activity: Actively Exploited in the wild, confirmed by multiple security firms. Exploitation occurred as a zero-day on systems previously thought to be patched. Sophisticated post-exploitation tools (Brute Ratel, Heaven’s Gate) and potential Initial Access Broker activity observed.
• Sectors Most At Risk: Government, Finance, Healthcare, Manufacturing, Energy/Critical Infrastructure, Retail, IT Services/MSPs – essentially any organization where SAP is critical. Higher Education faces unique risks due to infrastructure and governance factors.
• Most Effective Immediate Actions:

1. Patch: Apply SAP Security Note #3594142 immediately. Verify application, as this is an emergency, out-of-band patch separate from regular updates.
2. If Patching Delayed:

• Scan & Clean: First, scan SAP web directories (/irj/root, /irj/work, etc.) for suspicious files (.jsp, .java, .class) and remove any found.
• Disable Visual Composer: If confirmed unused (highly likely as it’s deprecated), disable the component entirely (guidance in Note 3593336). This is the most effective workaround.
• Restrict Access: As a fallback, block all network access to the /developmentserver/metadatauploader endpoint at the network edge.

• Key Detection Tips:

• Monitor network traffic for POST requests to /developmentserver/metadatauploader.
• Scan SAP file systems for unauthorized .jsp files in /irj/ paths (use IOCs/YARA).
• Forward SAP logs to SIEM; alert on suspicious access to the vulnerable endpoint.
• Use EDR to detect post-exploitation TTPs (MSBuild abuse, process injection like into dllhost.exe, Heaven’s Gate API calls).
• Run vulnerability scans with updated SAP checks (e.g., Tenable VPR 8.1).

• Urgency: IMMEDIATE ACTION REQUIRED. This is a critical incident. Prioritize patching or mitigation on all potentially affected SAP NetWeaver Java systems, starting with internet-facing ones. Due to zero-day exploitation, assume compromise if vulnerable systems were exposed before remediation and initiate incident response procedures if necessary.

Works cited

1. SAP Fixes Critical Vulnerability After Evidence of Exploitation – Infosecurity Magazine, accessed April 25, 2025, https://www.infosecurity-magazine.com/news/sap-fixes-critical-vulnerability/
2. CVE-2025-31324 Detail – NVD, accessed April 25, 2025, https://nvd.nist.gov/vuln/detail/CVE-2025-31324
3. Critical vulnerability in SAP NetWeaver under threat of active exploitation, accessed April 25, 2025, https://www.cybersecuritydive.com/news/critical-vulnerability-sap-netweaver-exploitation/746383/
4. Active Exploitation of SAP Zero-Day Vulnerability (CVE-2025-31324, SAP Security Note 3594142) – Onapsis, accessed April 25, 2025, https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
5. CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild – Tenable, accessed April 25, 2025, https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild
6. Companies using SAP NetWeaver and its marketshare – Enlyft, accessed April 25, 2025, https://enlyft.com/tech/products/sap-netweaver
7. The World’s Largest Provider of Enterprise Application Software – SAP, accessed April 25, 2025, https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71af511fa.html
8. SAP NetWeaver Customers List – InfoClutch, accessed April 25, 2025, https://www.infoclutch.com/installed-base/middleware-software/sap-netweaver/
9. SAP fixes suspected Netweaver zero-day exploited in attacks, accessed April 25, 2025, https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/
10. Warning: Critical, actively exploited, improper authorization vulnerability in SAP NetWeaver, Patch Immediately! | CCB Safeonweb – Centre for Cybersecurity Belgium, accessed April 25, 2025, https://ccb.belgium.be/advisories/warning-critical-actively-exploited-improper-authorization-vulnerability-sap-netweaver
11. Java UI Frameworks – SAP Help Portal, accessed April 25, 2025, https://help.sap.com/docs/SAP_NETWEAVER_750/6f3c61a7a5b94447b80e72f722b0aad7/a73142820b244be2b56c2c3a28b1da01.html
12. Active Exploitation of SAP Vulnerability CVE-2025-31324 – SecurityBridge, accessed April 25, 2025, https://securitybridge.com/blog/cve-2025-31324/
13. ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver, accessed April 25, 2025, https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
14. SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer | MSSP Alert, accessed April 25, 2025, https://www.msspalert.com/news/sap-patches-critical-zero-day-vulnerability-in-netweaver-visual-composer
15. Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild – RedRays, accessed April 25, 2025, https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/
16. SAP zero-day vulnerability under widespread active exploitation – CyberScoop, accessed April 25, 2025, https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/
17. Potential SAP zero-day fixed, details locked behind paywall – The Register, accessed April 25, 2025, https://www.theregister.com/2025/04/25/sap_netweaver_patch/
18. SAP Business Risk Illustration: Cyber Risk Assessment – Onapsis, accessed April 25, 2025, https://onapsis.com/resources/solution-briefs/recon-cyber-risk-assessment/
19. Critical Zero-Day Vulnerability Impacts SAP – ERP Today, accessed April 25, 2025, https://erp.today/critical-zero-day-vulnerability-impacts-sap/
20. New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework, accessed April 25, 2025, https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html
21. SAP Zero-Day Possibly Exploited by Initial Access Broker – SecurityWeek, accessed April 25, 2025, https://www.securityweek.com/sap-zero-day-possibly-exploited-by-initial-access-broker/
22. Critical Zero-Day Vulnerability Impacts SAP, accessed April 25, 2025, https://masteringsap.com/blogs/critical-zero-day-vulnerability-impacts-sap/
23. CVE-2025-31324 – MITRE Corporation, accessed April 25, 2025, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
24. SAP Security Patch Day – April 2025 – RedRays, accessed April 25, 2025, https://redrays.io/blog/sap-security-patch-day-april-2025/
25. Mitigating-Web-Shells/extended.webshell_detection.yara at master – GitHub, accessed April 25, 2025, https://github.com/nsacyber/Mitigating-Web-Shells/blob/master/extended.webshell_detection.yara
26. yara-rules/malware/Webshell-shell.yar at master – GitHub, accessed April 25, 2025, https://github.com/DarkenCode/yara-rules/blob/master/malware/Webshell-shell.yar
27. CVE-2025-31324 | Tenable®, accessed April 25, 2025, https://www.tenable.com/cve/CVE-2025-31324
28. Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others, accessed April 25, 2025, https://cyble.com/blog/weekly-it-vulnerability-report-critical-updates/
29. Revisiting CH4TTER: Takeaways One Year After this SAP Threat Landscape Report, accessed April 25, 2025, https://onapsis.com/blog/revisiting-ch4tter-takeaways-one-year-after-this-sap-threat-landscape-report/
30. Research & Education Networks Information Sharing & Analysis Center – Cybersecurity Higher Education News for Alliance Members and the Public – IU Blogs, accessed April 25, 2025, https://blogs.iu.edu/renisac/
31. Active Exploitation of SAP Vulnerability CVE-2017-12637 – Onapsis, accessed April 25, 2025, https://onapsis.com/blog/active-exploitation-cve-2017-12637-sap/
32. Critical Vulnerability in SAP NetWeaver AS Java – CISA, accessed April 25, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-195a
33. Report a Vulnerability: About Us – REN-ISAC, accessed April 25, 2025, https://www.ren-isac.net/about/Report_Vulnerability.html
34. Higher Education Community Vendor Assessment Toolkit | EDUCAUSE, accessed April 25, 2025, https://www.educause.edu/higher-education-community-vendor-assessment-toolkit
35. REN news events home – REN-ISAC, accessed April 25, 2025, https://www.ren-isac.net/REN_news_events_home.html
36. HECVAT CBI – REN-ISAC, accessed April 25, 2025, https://www.ren-isac.net/hecvat/cbi.html
37. REN-ISAC: Research Education Networking Information Sharing & Analysis Center, accessed April 25, 2025, https://www.ren-isac.net/
38. Vendor Assessment Toolkit: Public Resources – REN-ISAC, accessed April 25, 2025, https://www.ren-isac.net/public-resources/hecvat.html
39. 2020-2021 Catalog, accessed April 25, 2025, https://catalog.southtexascollege.edu/pdf/2020-2021.pdf
40. SAP patches zero day rated 10.0 in NetWeaver | SC Media, accessed April 25, 2025, https://www.scworld.com/news/sap-patches-zero-day-rated-100-in-netweaver

Told you it was deep.