CVE-2025-31324
published 2025-04-24CVE-2025-31324: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-05-20
Exploited in the wild
EPSS
99.36%
99.9th percentile
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | netweaver | — | — |
| sap_se | sap_netweaver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherRule 1012351 - SAP NetWeaver Visual Composer Unrestricted File Upload Vulnerability (CVE-2025-31324)↗
- →Monitor and restrict access to the /developmentserver/metadatauploader endpoint; unauthenticated POST requests to this path are the primary attack vector for CVE-2025-31324. ↗
- →Hunt for web shells dropped in the SAP NetWeaver servlet path; known names include cache.jsp and helper.jsp, but threat actors also use random names. ↗
- →Forward SAP NetWeaver logs to SIEM and scan for unauthorized files in the servlet path as a detection measure. ↗
- →Uploaded web shells were used to deploy malware and establish C2 communications; correlate unexpected file uploads or command execution on SAP servers as high-fidelity alerts. ↗
- →Multiple APT and ransomware groups have been observed actively exploiting CVE-2025-31324; treat any exploitation of this endpoint as a high-severity incident. ↗
- ·Visual Composer is not always required; disabling it entirely removes the attack surface if the component is not in use. ↗
- ·CVE-2025-42999 (deserialization) is a related underlying vulnerability that was not addressed by the CVE-2025-31324 patch; both SAP security notes (#3594142 and #3604119) must be applied for full protection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7w9p-pr7x-mjw2: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially mal
ghsa_unreviewed·2025-04-24
CVE-2025-31324 [CRITICAL] CWE-434 GHSA-7w9p-pr7x-mjw2: SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially mal
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
VulnCheck
SAP NetWeaver Deserialization Vulnerability
vulncheck·2025·CVSS 9.1
CVE-2025-42999 [CRITICAL] CWE-502 SAP NetWeaver Deserialization Vulnerability
SAP NetWeaver Deserialization Vulnerability
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
Affected: SAP NetWeaver
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://onapsis.com/blog/new-exploit-for-cve-2025-31324/; ht
VulnCheck
SAP NetWeaver Unrestricted File Upload Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-31324 [CRITICAL] CWE-434 SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver Unrestricted File Upload Vulnerability
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
Affected: SAP NetWeaver
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/; https://arcticwolf.com/resources/blog-uk/cve-2025-31324-maximum-severity-file-upload-vulnerability-in-sap-netweaver-exploited-in-the-wild/; https://x.com/gothburz/status/1
CISA
SAP NetWeaver Unrestricted File Upload Vulnerability
cisa·2025-04-29·CVSS 9.8
CVE-2025-31324 [CRITICAL] CWE-434 SAP NetWeaver Unrestricted File Upload Vulnerability
Vulnerability: SAP NetWeaver Unrestricted File Upload Vulnerability
Affected: SAP NetWeaver
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://me.sap.com/notes/3594142 ; https://nvd.nist.gov/vuln/detail/CVE-2025-31324
Remediation Due Date: 2025-05-20
Suricata
ET HUNTING SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated Arbitrary Command Execution (CVE-2025-31324)
suricata·2025-08-25·CVSS 10.0
CVE-2025-31324 [CRITICAL] ET HUNTING SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated Arbitrary Command Execution (CVE-2025-31324)
ET HUNTING SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated Arbitrary Command Execution (CVE-2025-31324)
Rule: alert http any any -> $HOME_NET any (msg:"ET HUNTING SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated Arbitrary Command Execution (CVE-2025-31324)"; flow:established,to_server; http.method; pcre:"/^(?:GET|HEAD)$/"; http.uri; content:"/developmentserver/metadatauploader|3f|"; nocase; fast_pattern; pcre:"/(?:^|\x26)\w+\x3d[^\x26]*?(?:[\x3b\x24\x60\x7c]|\x25(?:3[bB]|24|60|7[cC]))/R"; reference:cve,2025-31324; classtype:web-application-attack; sid:2064149; rev:1; metadata:affected_product SAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_25, cve CVE_2025_31324, deployment Perimeter, deployment Internal, confidence High, signature_severi
Suricata
ET EXPLOIT SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated JSP File Upload (CVE-2025-31324)
suricata·2025-08-25·CVSS 10.0
CVE-2025-31324 [CRITICAL] ET EXPLOIT SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated JSP File Upload (CVE-2025-31324)
ET EXPLOIT SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated JSP File Upload (CVE-2025-31324)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT SAP NetWeaver Visual Composer Metadata Uploader Unauthenticated JSP File Upload (CVE-2025-31324)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/developmentserver/metadatauploader"; nocase; fast_pattern; http.request_body; content:"filename|3d 22|"; pcre:"/^\w+\x2ejsp/R"; content:"|0d 0a 0d 0a 3c 25 40|"; reference:cve,2025-31324; classtype:web-application-attack; sid:2064148; rev:1; metadata:affected_product SAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_25, cve CVE_2025_31324, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploi
Suricata
ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324)
suricata·2025-04-28·CVSS 10.0
CVE-2025-31324 [CRITICAL] ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324)
ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SAP Netweaver Unauthenticated File Upload Attempt (JSP Webshell) (CVE-2025-31324)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/developmentserver/metadatauploader"; fast_pattern; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"; content:".jsp|22|"; within:100; content:"Content-Type|3a 20|application/octet-stream"; within:50; pcre:"/^[^\x3c]*?(?:\x3c\x25\x40|\x3c\x25\x2d\x2d|\x3c\x25)/R"; reference:cve,2025-31324; reference:url,redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-explo
Nuclei
SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
nuclei·CVSS 9.8
CVE-2025-31324 [CRITICAL] SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
Template:
id: CVE-2025-31324
info:
name: SAP NetWeaver Visual Composer Metadata Uploader - Deserialization
author: iamnoooob,rootxharsh,parthmalhotra,pdresearch
severity: critical
description: |
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host
Hackernews
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
blogs_hackernews·2026-04-03
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.
The campaign has been attributed to TA416 , a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
"This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries," Proofpoint researchers Mark Kel
Mandiant
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
## Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, w
Mandiant
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
blogs_mandiant·2026-03-16
Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape
Threat Intelligence
# Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
March 16, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark
### Introduction
Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditiza
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
blogs_bleepingcomputer·2025-10-30·CVSS 7.8
CVE-2025-41244 [HIGH] CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
## CISA orders feds to patch VMware Tools flaw exploited by Chinese hackers
## Sergiu Gatlan
On Thursday, CISA warned U.S. government agencies to secure their systems against attacks exploiting a high-severity vulnerability in Broadcom's VMware Aria Operations and VMware Tools software.
Tracked as CVE-2025-41244 and patched one month ago , this vulnerability allows local attackers with non-administrative privileges to a virtual machine (VM) with VMware Tools and managed by Aria Operations with SDMP enabled to escalate privileges to root on the same VM.
CISA added the flaw to its Known Exploited Vulnerabilities catalog , which lists security bugs the cybersecurity agency has flagged as exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until N
Bleepingcomputer
Chinese hackers exploiting VMware zero-day since October 2024
blogs_bleepingcomputer·2025-09-30·CVSS 9.8
CVE-2025-41244 [CRITICAL] Chinese hackers exploiting VMware zero-day since October 2024
## Chinese hackers exploiting VMware zero-day since October 2024
## Sergiu Gatlan
Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.
While the American technology giant didn't tag this security bug ( CVE-2025-41244 ) as exploited in the wild, it thanked NVISO threat researcher Maxime Thiebaut for reporting the bug in May.
However, yesterday, the European cybersecurity company disclosed that this vulnerability was first exploited in the wild beginning mid-October 2024 and linked the attacks to the UNC5174 Chinese state-sponsored threat actor.
"To abuse this vulnerability, an unprivileged local attacker can stage a malicious binary within any of
Securelist
IT threat evolution in Q2 2025. Non-mobile statistics
blogs_securelist·2025-09-05
IT threat evolution in Q2 2025. Non-mobile statistics
Table of Contents
The quarter in numbers
Ransomware
Quarterly trends and highlights
Law enforcement success
Vulnerabilities and attacks
Mass exploitation of a vulnerability in SAP NetWeaver
Attacks via the SimpleHelp remote administration tool
Qilin exploits vulnerabilities in Fortinet
Exploitation of a Windows CLFS vulnerability
The most prolific groups
Number of new variants
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 countries and territories attacked by ransomware Trojans
TOP 10 most common families of ransomware Trojans
Miners
Number of new variants
Number of users attacked by miners
Geography of attacked users
TOP 10 countries and territories attacked by miners
Attacks on macOS
TOP 20 threats to macOS
Geography of threats t
Securelist
Desktop and IoT threat report for Q2 2025
blogs_securelist·2025-09-05
Desktop and IoT threat report for Q2 2025
Table of Contents
- The quarter in numbers
- Ransomware
- Miners
- Attacks on macOS
- IoT threat statistics
- Attacks via web resources
- Local threats
Authors
- AMR
IT threat evolution in Q2 2025. Non-mobile statistics
IT threat evolution in Q2 2025. Mobile statistics
The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.
## The quarter in numbers
In Q2 2025:
- Kaspersky solutions blocked more than 471 million attacks originating from various online resources.
- Web Anti-Virus detected 77 million unique links.
- File Anti-Virus blocked nearly 23 million malicious and potentially unwanted objects.
- There were 1,702 new ransomwar
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Bleepingcomputer
Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
blogs_bleepingcomputer·2025-07-29·CVSS 10.0
CVE-2025-31324 [CRITICAL] Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
## Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware
## Bill Toulas
Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
Cybersecurity firm Darktrace discovered the attack during an incident response in April 2025, where an investigation revealed that the Auto-Color malware had evolved to include additional advanced evasion tactics.
Darktrace reports that the attack started on April 25, but active exploitation occurred two days later, delivering an ELF (Linux executable) file onto the targeted machine.
The Auto-Color malware was first documented by Palo Alto Networks' Unit 42 researchers in February 2025, who highlighted its evasive
Trendmicro
Critical SAP Vulnerability Exposes Enterprises
blogs_trendmicro·2025-06-12·CVSS 10.0
CVE-2025-31324 [CRITICAL] Critical SAP Vulnerability Exposes Enterprises
Exploits & Vulnerabilities
# Critical SAP Vulnerability Exposes Enterprises
CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it.
By: Dereus Caldwell
2025/06/12
Read time: ( words)
Save to Folio
## Overview
In early 2025, a critical vulnerability—CVE-2025-31324—was disclosed in SAP NetWeaver Visual Composer, a widely used tool for building business applications. This vulnerability allows unrestricted file uploads, potentially enabling attackers to upload malicious scripts or executables to the server, leading to remote code execution, data exfiltration, or lateral movement within enterprise networks.
Given SAP’s central role in many organizations’ operations, this vulnerability poses
Trendmicro
Critical SAP Vulnerability Exposes Enterprises
blogs_trendmicro·2025-06-12·CVSS 10.0
CVE-2025-31324 [CRITICAL] Critical SAP Vulnerability Exposes Enterprises
Exploits y vulnerabilidades
## Critical SAP Vulnerability Exposes Enterprises
CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it.
By: Dereus Caldwell Jun 12, 2025 Read time: ( words)
Save to Folio
Trendmicro
Critical SAP Vulnerability Exposes Enterprises
blogs_trendmicro·2025-06-12·CVSS 10.0
CVE-2025-31324 [CRITICAL] Critical SAP Vulnerability Exposes Enterprises
Ausnutzung von Schwachstellen
## Critical SAP Vulnerability Exposes Enterprises
CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it.
By: Dereus Caldwell Jun 12, 2025 Read time: ( words)
Save to Folio
Trendmicro
Critical SAP Vulnerability Exposes Enterprises
blogs_trendmicro·2025-06-12·CVSS 10.0
CVE-2025-31324 [CRITICAL] Critical SAP Vulnerability Exposes Enterprises
Exploits & Vulnerabilities
## Critical SAP Vulnerability Exposes Enterprises
CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it.
By: Dereus Caldwell 2025/06/12 Read time: ( words)
Save to Folio
Trendmicro
Critical SAP Vulnerability Exposes Enterprises
blogs_trendmicro·2025-06-12·CVSS 10.0
CVE-2025-31324 [CRITICAL] Critical SAP Vulnerability Exposes Enterprises
Exploits & Vulnerabilities
## Critical SAP Vulnerability Exposes Enterprises
CVE-2025-31324 in SAP NetWeaver Visual Composer enables unauthenticated file uploads, exposing systems to RCE and data loss - learn what to do about it.
By: Dereus Caldwell Jun 12, 2025 Read time: ( words)
Save to Folio
Trendmicro
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
blogs_trendmicro·2025-05-27
Earth Lamia Develops Custom Arsenal to Target Multiple Industries
APT & Targeted Attacks
# Earth Lamia Develops Custom Arsenal to Target Multiple Industries
Trend™ Research has been tracking an active APT threat actor named Earth Lamia, targeting multiple industries in Brazil, India and Southeast Asia countries at least since 2023. The threat actor primarily exploits vulnerabilities in web applications to gain access to targeted organizations.
By: Joseph C Chen
2025/05/27
Read time: ( words)
Save to Folio
Summary
- Trend Research has identified Earth Lamia as an APT threat actor that exploits vulnerabilities in web applications to gain access to organizations, using various techniques for data exfiltration.
- Earth Lamia develops and customizes hacking tools to evade detection, such as PULSEPACK and BypassBoss.
- Earth Lamia has primarily targeted
Unit42
Threat Brief: CVE-2025-31324 (Updated June 25)
blogs_unit42·2025-05-23·CVSS 10.0
CVE-2025-31324 [CRITICAL] Threat Brief: CVE-2025-31324 (Updated June 25)
## Threat Brief: CVE-2025-31324 (Updated June 25)
Unit 42
Published: May 23, 2025
High Profile Threats
Vulnerabilities
CVE-2025-31324
Remote Code Execution
Web shells
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Monday, June 25, 2025. Please refer to the SAP Netweaver release notes for the latest information.
Update May 23, 2025: We have added further details and indicators of compromise (IoC) to this post, to provide defenders additional information to hunt with. This information can be found in the Appendix section .
On April 24, 2025, SAP disclosed CVE-2025-31324 , a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the
Unit42
Threat Brief: CVE-2025-31324 (Updated June 25)
blogs_unit42·2025-05-23·CVSS 10.0
CVE-2025-31324 [CRITICAL] Threat Brief: CVE-2025-31324 (Updated June 25)
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Monday, June 25, 2025. Please refer to the SAP Netweaver release notes for the latest information.
Update May 23, 2025: We have added further details and indicators of compromise (IoC) to this post, to provide defenders additional information to hunt with. This information can be found in the Appendix section.
On April 24, 2025, SAP disclosed CVE-2025-31324, a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the vulnerability and our analysis, and also includes details of what we’ve observed through our incident response services and telemetry.
This vulnerability allows unauthenticated u
Checkpoint
19th May – Threat Intelligence Report
blogs_checkpoint·2025-05-19
CVE-2025-31324 19th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Fashion giant Dior confirmed a data breach that exposed customer information from its Fashion and Accessories line. The leaked data includes names, gender, phone numbers, email addresses, postal addresses, and purchase history with customers in South Korea and China most affected. Specific details regarding the quantity and addit
Bleepingcomputer
Ransomware gangs join ongoing SAP NetWeaver attacks
blogs_bleepingcomputer·2025-05-14·CVSS 7.8
CVE-2025-31324 [HIGH] Ransomware gangs join ongoing SAP NetWeaver attacks
## Ransomware gangs join ongoing SAP NetWeaver attacks
## Sergiu Gatlan
Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers.
SAP released emergency patches on April 24 to address this NetWeaver Visual Composer unauthenticated file upload security flaw ( CVE-2025-31324 ), days after it was first tagged by cybersecurity company ReliaQuest as targeted in the wild.
Successful exploitation lets threat actors upload malicious files without requiring login credentials, potentially leading to complete system compromise.
Today, in an update to their original advisory, ReliaQuest revealed that the RansomEXX and BianLian ransomware operations have also joined these at
Bleepingcomputer
SAP patches second zero-day flaw exploited in recent attacks
blogs_bleepingcomputer·2025-05-13·CVSS 10.0
CVE-2025-42999 [CRITICAL] SAP patches second zero-day flaw exploited in recent attacks
## SAP patches second zero-day flaw exploited in recent attacks
## Sergiu Gatlan
SAP has released patches to address a second vulnerability exploited in recent attacks targeting SAP NetWeaver servers as a zero-day.
The company issued security updates for this security flaw ( CVE-2025-42999 ) on Monday, May 12, saying it was discovered while investigating zero-day attacks involving another unauthenticated file upload flaw (tracked as CVE-2025-31324 ) in SAP NetWeaver Visual Composer that was fixed in April.
"SAP is aware of and has been addressing vulnerabilities in SAP NETWEAVER Visual Composer," a SAP spokesperson told BleepingComputer. "We ask all customers using SAP NETWEAVER to install these patches to protect themselves. The Security Notes can be found here: 3594142 & 3604119 ."
Bleepingcomputer
Chinese hackers behind attacks targeting SAP NetWeaver servers
blogs_bleepingcomputer·2025-05-09·CVSS 10.0
CVE-2025-31324 [CRITICAL] Chinese hackers behind attacks targeting SAP NetWeaver servers
## Chinese hackers behind attacks targeting SAP NetWeaver servers
## Sergiu Gatlan
Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
SAP released an out-of-band emergency patch on April 24 to address this unauthenticated file upload security flaw (tracked as CVE-2025-31324 ) in SAP NetWeaver Visual Composer, days after cybersecurity company ReliaQuest first detected the vulnerability being targeted in attacks.
Successful exploitation enables unauthenticated attackers to upload malicious files without logging in, allowing them to gain remote code execution and potentially leading to complete system compromise.
ReliaQuest reported that multiple customers' systems
Talos
Understanding the challenges of securing an NGO
blogs_talos·2025-05-01
Understanding the challenges of securing an NGO
## Understanding the challenges of securing an NGO
Welcome to this week’s edition of the Threat Source newsletter.
Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.
I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can
Talos
Understanding the challenges of securing an NGO
blogs_talos·2025-05-01
Understanding the challenges of securing an NGO
Welcome to this week’s edition of the Threat Source newsletter.
Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.
I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos an
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Bleepingcomputer
Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
blogs_bleepingcomputer·2025-04-28·CVSS 10.0
[CRITICAL] Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
## Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
## Bill Toulas
Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies.
Last week, SAP disclosed an unauthenticated file upload vulnerability, tracked as CVE-2025-31324, in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component.
The flaw allows remote attackers to upload arbitrary executable files on exposed instances without authenticating, achieving code execution and full system compromise.
Multiple cybersecuri
Checkpoint
28th April – Threat Intelligence Report
blogs_checkpoint·2025-04-28
CVE-2025-31324 28th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments. The company suspended online orders temporarily, refunded some customers, and reported the incident to the Information Commissioner’s Office (ICO).
Yale New Haven Health (YNH
Tenable
CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild
blogs_tenable·2025-04-25·CVSS 10.0
[CRITICAL] CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
SAP fixes suspected NetWeaver zero-day exploited in attacks
blogs_bleepingcomputer·2025-04-25·CVSS 10.0
CVE-2025-31324 [CRITICAL] SAP fixes suspected NetWeaver zero-day exploited in attacks
## SAP fixes suspected NetWeaver zero-day exploited in attacks
## Bill Toulas
SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.
The vulnerability, tracked under CVE-2025-31324 and rated critical (CVSS v3 score: 10.0), is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component.
It allows attackers to upload malicious executable files without logging in, potentially leading to remote code execution and full system compromise.
Though the vendor's bulletin isn't public, ReliaQuest reported earlier this week about an actively exploited vulnerability on SAP NetWeaver Visual Composer, specifically the '/developmentserver
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
## Table of Contents
Why Zero-Day Vulnerabilities Demand a New Security Mindset
Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
How Do Zero-Day Attacks Work?
The Zero-Day Lifecycle: From Discovery to Exploitation
Real-World Zero-Day Attacks and Their Impact
Why Zero-Day Vulnerabilities Are So Dangerous
Detecting Zero-Day Vulnerabilities
Challenges in Identifying Zero-Day Vulnerabilities
How Qualys Helps Organizations Manage Zero-Day Risk
Conclusion
Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organizations.
To r
Qualys
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
blogs_qualys·2025-04-18
Zero-Day Vulnerability Protection | Detect & Stop Threats | Qualys
#### Table of Contents
- Why Zero-Day Vulnerabilities Demand a New Security Mindset
- Understanding Zero-Day Vulnerabilities, Exploits, and Attacks
- How Do Zero-Day Attacks Work?
- The Zero-Day Lifecycle: From Discovery to Exploitation
- Real-World Zero-Day Attacks and Their Impact
- Why Zero-Day Vulnerabilities Are So Dangerous
- Detecting Zero-Day Vulnerabilities
- Challenges in Identifying Zero-Day Vulnerabilities
- How Qualys Helps Organizations Manage Zero-Day Risk
- Conclusion
- Frequently Asked Questions (FAQs)
Executive Summary
Zero-day vulnerabilities pose a significant and growing risk as opportunistic attackers rapidly exploit unknown flaws before fixes are available. These threats can bypass traditional defenses, spread rapidly, and cause widespread disruption across organi
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
# IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor, the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the adv
Recorded Future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
blogs_recorded_future
Smarter Cybersecurity with IPv6: How Drip Architecture Defeats Spray-and-Pray Attacks
## IPv6 Drip Drowns Spray-and-Pray
## AI Hackathons and the Future of Security Architecture
Last week, a few Futurists met up to work out the practical realities of AI-enabled Red Teaming (among other topics). In addition to two days of phenomenal vibe coding in Cursor , the final presentations were light on hyperbole and heavy on capabilities and remarkable outcomes, created in a day or less. Two years ago, when LLMs made their mainstream debut, I was dubious, but the hackathon confirmed recent observations (last three months) that AI is accelerating security workflows (like everything else) at warp speed. Change, soon driven primarily through various agentic flavors, is happening at a pace that is difficult to comprehend.
The flight home was spent considering how to get ahead of the a
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://me.sap.com/notes/3594142https://url.sap/sapsecuritypatchdayhttps://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/https://www.theregister.com/2025/04/25/sap_netweaver_patch/https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31324
2025-04-24
Published
2025-04-29
Added to CISA KEV
Exploited in the wild