Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

CVE-2025-31324: SAP NetWeaver Zero-Day Breakdown

Onapsis
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


exploitation of vulnerabilities, first place, most commonly used attack vector. And within that, we do see a heavy focus on enterprise applications. I mean, the top three most frequently used CVEs were all tied to enterprise applications with SAP, NetWeaver taking the first place, actually followed by Oracle eBusiness Suite, and finally Microsoft SharePoint. Obviously, all three major players in the enterprise application space, huge impact, huge client footprint. Interesting, the SAP NetWeaver vulnerability, specifically, it related to an unauthenticated remote arbitrary code upload vulnerability, which when you combined it with another CVE, also could result in code execution, making this indeed a very severe and very impactful vulnerability. Now, we track this as a campaign at Mandiant when we see recurring attacks with attackers exploiting, for example, recurring vulnerabilities, or using consistent methodologies, we create campaigns around that. And we saw this campaign last for the large majority of 2025, and with multiple investigations relating to this specific vulnerabilities. In fact, when we first started tracking it as a zero day in the early part of 2025, we observed four distinct threat clusters that were exploiting this as a zero day. And then after SAP released a patch, we saw another six threat actor clusters starting to exploit this vulnerability. And so it is clearly something that a lot of threat actors actively started to exploit. One thing that we've also seen is that the post-compromise, we saw a lot of attackers leveraging it for initial access, but also then leveraging as a starting point to further conduct internal reconnaissance within those environments. But really, what happened with this zero day was really before and after. This really became the first most exploited SAP zero day vulnerability in history, which we hadn't seen. We've seen very targeted attacks, some campaigns against known SAP vulnerabilities. We have never seen this scale, and also using a zero day. And to your point, with now different threat clusters that were interacting or leveraging this. So at a very, very high level, just to give you a sense of the time, and to give the audience a sense of the timeline, like this started really in April, publicly started in April, end of April, when Reliapad puts out a blog saying that they identified a few customers that had their SAP systems potentially compromised, but it was not clear it was a zero day, it was an old vulnerability that was being exploited. So two days later after that blog, SAP actually releases an emergency patch, right? So that makes it clear to everyone that we're dealing with a zero day. So that's where we started really working closely with SAP and government agencies across the world to really help someone, some customers. We're actually, as part of that work with SAP, based on some unique capabilities we have, we discovered that that was a bit more complex than initially thought. So SAP released another patch about 15 days later. So then there's another patch that has to be applied now.

TL;DR

  • CVE-2025-31324 was the most exploited vulnerability of 2025 per Mandiant's M-Trends Report, surpassing Oracle eBusiness Suite and Microsoft SharePoint CVEs.
  • The SAP NetWeaver flaw allowed unauthenticated remote code upload and, when chained with a second CVE, enabled full remote code execution across enterprise environments.
  • Mandiant tracked ten distinct threat actor clusters exploiting this vulnerability — four before the patch and six more after SAP's emergency fix was released.

Summary

This short-form clip features a Mandiant expert discussing CVE-2025-31324, the SAP NetWeaver zero-day that topped Mandiant's M-Trends Report as the most exploited vulnerability of 2025. The vulnerability — an unauthenticated remote arbitrary code upload flaw — could be chained with a second CVE to achieve full remote code execution, making it exceptionally severe. Mandiant tracked the exploitation as a formal campaign, observing four distinct threat clusters actively exploiting it as a zero-day before SAP issued an emergency patch, followed by six additional threat actor clusters emerging after the patch was released. The campaign persisted across the majority of 2025 and involved multiple investigations. Beyond initial access, attackers used the foothold for internal reconnaissance within compromised environments. The public disclosure timeline began in late April when ReliaQuest published a blog identifying potentially compromised SAP systems, prompting SAP to release an emergency patch two days later. Onapsis subsequently identified additional complexity in the vulnerability, leading SAP to issue a second patch approximately 15 days after the first. This marked the first time an SAP zero-day was exploited at this scale, representing a historic shift in the threat landscape for enterprise application security.

Chapters

0:00 - Enterprise CVE Trends Overview
0:33 - SAP NetWeaver Vulnerability Details
0:52 - Threat Actor Clusters & Campaign Scope
1:54 - Disclosure Timeline & Patch Response

Key Quotes

1:58 "This really became the first most exploited SAP zero day vulnerability in history, which we hadn't seen."
0:11 "The top three most frequently used CVEs were all tied to enterprise applications with SAP NetWeaver taking the first place."
1:24 "When we first started tracking it as a zero day in the early part of 2025, we observed four distinct threat clusters that were exploiting this as a zero day. And then after SAP released a patch, we saw another six threat actor clusters starting to exploit this vulnerability."

FAQ

Why was CVE-2025-31324 considered so severe?

The vulnerability allowed unauthenticated remote arbitrary code upload. When combined with a second CVE, it enabled full remote code execution — giving attackers a powerful, no-credentials-required entry point into enterprise SAP environments.

How quickly did threat actors move after the patch was released?

Very quickly. Mandiant observed four threat clusters exploiting the vulnerability as a zero-day before the patch, and six additional clusters began exploitation after SAP released its emergency fix — demonstrating that patching alone did not stop attacker interest.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Vulnerability Management
  • Threat Intelligence
  • Security Operations
  • Technical Deep Dive
  • short_form
  • SAP NetWeaver security
  • CVE-2025-31324
  • Zero-day exploitation
  • Enterprise application vulnerabilities
  • Threat actor campaigns
  • Incident response
  • M-Trends 2025
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: CVE-2025-31324: SAP NetWeaver Zero-Day Breakdown

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version