Transcript
exploitation of vulnerabilities, first place, most commonly used attack vector. And within that, we do see a heavy focus on enterprise applications. I mean, the top three most frequently used CVEs were all tied to enterprise applications with SAP, NetWeaver taking the first place, actually followed by Oracle eBusiness Suite, and finally Microsoft SharePoint. Obviously, all three major players in the enterprise application space, huge impact, huge client footprint. Interesting, the SAP NetWeaver vulnerability, specifically, it related to an unauthenticated remote arbitrary code upload vulnerability, which when you combined it with another CVE, also could result in code execution, making this indeed a very severe and very impactful vulnerability. Now, we track this as a campaign at Mandiant when we see recurring attacks with attackers exploiting, for example, recurring vulnerabilities, or using consistent methodologies, we create campaigns around that. And we saw this campaign last for the large majority of 2025, and with multiple investigations relating to this specific vulnerabilities. In fact, when we first started tracking it as a zero day in the early part of 2025, we observed four distinct threat clusters that were exploiting this as a zero day. And then after SAP released a patch, we saw another six threat actor clusters starting to exploit this vulnerability. And so it is clearly something that a lot of threat actors actively started to exploit. One thing that we've also seen is that the post-compromise, we saw a lot of attackers leveraging it for initial access, but also then leveraging as a starting point to further conduct internal reconnaissance within those environments. But really, what happened with this zero day was really before and after. This really became the first most exploited SAP zero day vulnerability in history, which we hadn't seen. We've seen very targeted attacks, some campaigns against known SAP vulnerabilities. We have never seen this scale, and also using a zero day. And to your point, with now different threat clusters that were interacting or leveraging this. So at a very, very high level, just to give you a sense of the time, and to give the audience a sense of the timeline, like this started really in April, publicly started in April, end of April, when Reliapad puts out a blog saying that they identified a few customers that had their SAP systems potentially compromised, but it was not clear it was a zero day, it was an old vulnerability that was being exploited. So two days later after that blog, SAP actually releases an emergency patch, right? So that makes it clear to everyone that we're dealing with a zero day. So that's where we started really working closely with SAP and government agencies across the world to really help someone, some customers. We're actually, as part of that work with SAP, based on some unique capabilities we have, we discovered that that was a bit more complex than initially thought. So SAP released another patch about 15 days later. So then there's another patch that has to be applied now.