In April of 2025, SAP disclosed a critical vulnerability in their SAP NetWeaver platform (CVE-2025-31324), and it was given a CVSS score of 10.0. The vulnerable platform is used by customers to facilitate integrations within a unified SAP environment. The flaw resides within the Visual Composer component in particular, and even more specifically within the Metadata Uploader module. When exploited, it allows unauthenticated remote attackers to upload arbitrary files, including malicious executables, to vulnerable SAP NetWeaver instances. Successful exploitation of this vulnerability potentially can lead to granting operators full control over the compromised systems. It is worthy to note that it was disclosed by ReliaQuest that multiple customers were already compromised, with threat actors deploying JSP web shells to maintain persistent access in victim environments. The impact to victims is significant, as successful exploitation can lead to unauthorized access, data exfiltration, and potential system compromise.
CVE-2025-31324 - SAP NetWeaver Vulnerability Hunt Package Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations
ACCESS HUNT PACKAGE
Identifies when Java spawns unusual child processes, which can be an indication of exploitation of the Java process. Although Java may not be the target process of an exploit, it can be coaxed into executing malicious code as the result of an exploit in another service, such as Log4j or Spring-Core.
ACCESS HUNT PACKAGE
This Threat Hunt package identifies the use of MSBuild.exe to compile and execute files from commonly writable or easily exploitable directories such as ProgramData, AppData, Temp, or Downloads. Adversaries often abuse MSBuild, a legitimate Microsoft tool, to compile malicious project files (.xml, .txt) staged in these locations, enabling execution of payloads without creating traditional executables. This behavior typically indicates an attempt to evade detection through Living-off-the-Land Binary (LOLBIN) techniques, bypassing security controls by blending in with legitimate system activity.
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.