Second wave of attacks hitting SAP NetWeaver after Zero-Day compromise

Threat actors have been observed launching a second wave of attacks against SAP NetWeaver instances that were compromised via a recent zero-day vulnerability, enterprise application security firm Onapsis warns.

The zero-day, tracked as CVE-2025-31324 (CVSS score of 10/10), was disclosed on April 24, after SAP updated its April 2025 Security Patch Day bulletin to add a fresh note addressing it.

In-the-wild exploitation of the bug was observed by cybersecurity firm ReliaQuest on systems that had the latest patches installed and was associated with initial access brokers. According to Mandiant, the flaw had been exploited since at least mid-March 2025.

Read more at Security Week