SAP NetWeaver is facing a new wave of cyberattacks, as hackers return to exploit systems previously compromised through a dangerous zero-day flaw. Security experts are raising alarms as attackers use leftover webshells from earlier breaches to escalate their access and deploy further malware.
The vulnerability, tracked as CVE-2025-31324, carries a critical CVSS score of 10/10 and was only made public on April 24 after SAP updated its April security bulletin. But according to security firms like ReliaQuest and Mandiant, malicious activity tied to the bug has been active since mid-March 2025—well before the disclosure. What’s more alarming is that attackers were seen bypassing even the latest patches.
This zero-day affects SAP NetWeaver’s Visual Composer development server, with SAP confirming that it stems from a missing authorization check. That loophole has enabled threat actors to upload malicious JSP webshells into the system’s root directory. These webshells act as persistent backdoors, allowing adversaries to execute arbitrary code, install additional malware, and move laterally within enterprise networks.
In the first wave of attacks, initial access brokers—cybercriminals who infiltrate systems and sell that access to others—were heavily involved. Now, according to enterprise application security firm Onapsis, a second wave of opportunistic attackers is hitting the same systems. They’re taking advantage of the previously planted webshells to expand control and push new payloads.
To help organizations mitigate the threat, Onapsis and Mandiant have jointly released an open-source scanner. The tool detects indicators of compromise (IoCs), flags systems vulnerable to CVE-2025-31324, and hunts for unfamiliar executable files in common directories. It also collects suspicious files for further analysis.
As the exploit continues to spread, Onapsis updated a YARA rule on May 5 to help security teams detect and respond to ongoing webshell activity.
Despite growing awareness, The Shadowserver Foundation reports that over 200 internet-facing SAP NetWeaver servers remain exposed as of May 5. This is a notable drop from more than 400 on April 28, but still far from safe. The number had previously spiked to over 3,400 vulnerable systems before May 1, suggesting that many companies patched late—or not at all.
The urgency is underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities (KEV) list on April 29. Federal agencies are required to patch the issue by May 20.
