Reviewing Zero-Day Vulnerabilities in SAP

In March 2025, cybersecurity companies such as Mandiant started noticing exploitation activity on SAP NetWeaver systems including the deployment of web shells. Although this activity was noted, what was not realized at the time was that what was being tracked was evidence of a zero-day vulnerability in SAP NetWeaver.

A month later, SAP learned about this vulnerability and quickly announced a patch. The exploit was also listed in the NIST National Vulnerability Database as CVE-2025-31324, and was widely reported by SAP partners and cybersecurity vendors. The vulnerability was a critical issue with a severity rating of 10.0 that allowed bad actors to perform unauthenticated uploads of potentially malicious executables that could severely harm the system.

When Mandiant went back and examined their data from March what they realized was that a lot of organizations had been directly impacted by this vulnerability. Additionally, those organizations running SAP NetWeaver had experienced the same sort of activity, including the deployment of web shells, on multiple systems. In some situations, additional back doors had been deployed, and SAP configuration data had been archived and exfiltrated in a small number of instances.

The Value of SAP Systems for Threat Actors

While the number of attacks on SAP systems has been slowly increasing over the years, the advent of a major zero-day issue with exploits should, according to Night Dragon CEO David DeWalt, should be a “wake up call”. DeWalt went on to say that “When you see an application the size and scale of SAP have these exploits you realize that this has a very high danger level.”
Since SAP solutions are the financial system of record for thousands of companies, it is no surprise that these systems are being targeted. In addition, as SAP systems have moved from being deployed on more isolated infrastructure to cloud environments, some of the legacy code which is not secure by design has become much more vulnerable. With, as was the case in this instance, the SAP NetWeaver platform being vulnerable, DeWalt believes that “the days of security by obscurity are over, and mass exploitation can occur at a large and global scale.”

Addressing the Threat

While this vulnerability was quickly patched by SAP, one of the challenges with the issue was that applying a patch did not stop threat actors that had already exploited the vulnerability. This meant that many organizations still had significant work to do to re-secure their systems.

While this may seem like an isolated incident, SAP releases anywhere from 20 to 30 new patches every month. Some of these may only be of medium impact, but there are nearly always a handful of critical or high priority issues that need to be addressed immediately. That means organizations need to prioritize, budget for, and ensure that these critical patches can be implemented in a timely manner.

CVE-2025-31324 was a single issue that impacted the SAP NetWeaver Java Application Server, but because more SAP systems are accessible remotely that means that newly discovered vulnerabilities, or zero-days that can be more impactful, are also more likely to be exploited remotely. And, because of the type of vulnerability that this represented, networks and firewalls had minimal impact on stopping the attack. And as sophisticated threat actors learn more about SAP systems, organizations must be prepared to react to these types of attacks.

What This Means for SAPinsiders

Immediately take action to detect and remediate potential attacks. When new issues are announced, the first step organizations should take is to determine whether they have been compromised. This involves running scanners as a quick way to check for activities like deployed web shells. This also involves organizations understanding that they need to more than just apply patches. Zero-day vulnerabilities can see mass exploitation before they are detected, and failing to look for post-exploitation evidence can leave systems compromised.

Improve visibility and auditing and integrate SAP systems into mainstream security programs. Many SAP systems only provide limited telemetry. This makes it essential for organizations to improve the amount of security telemetry and visibility they have on SAP systems. This can be partly achieved by integrating SAP systems into mainstream monitoring like SIEM solutions, but there must also be an emphasis on increasing testing, future-proofing, and increasing board awareness.

Review the advice of experts to learn more about this issue and how to be prepared for future attacks. The best advice on managing security comes from learning from experts. Cody Barrow, CEO of Eclectic IQ, Charles Carmakal, CTO of Mandiant Consulting, Dave DeWalt, Founder and CEO of Night Dragon, and Mariano Nunez, CEO and Co-Founder of Onapsis, recently reviewed the impact of CVE-2025-31324 including how the vulnerability was discovered, the way it impacted SAP systems, and how to prepare for the future. Breakdowns like these are highly recommended for those looking to be prepared for cybersecurity threats to SAP systems.