SAP Vulnerability Alert: Onapsis and Mandiant unveil an open-source tool for detecting hacking attempts
In an effort to support defenders against critical threats, Onapsis and Mandiant have joined forces to develop an open-source tool for detecting signs of compromise related to the active exploitation of the vulnerability CVE-2025-31324 in SAP NetWeaver Application Server Java. Released under the Apache 2.0 Open Source License, this tool is available for download on GitHub. It is designed to help SAP customers determine if their system is vulnerable, identify indicators of compromise (IoCs), search for unknown web-based executable files, collect suspicious files in a structured ZIP archive, and provide a manifest for later analysis. It is crucial to note that this tool automates the checking of vulnerabilities and IoC information executed in a live operating system with the permissions of the user running the script. It is not a replacement for forensic analysis or advanced incident response measures. Experienced attackers often remove traces of their intrusion while deploying rootkits and using techniques to evade detection. The vulnerability, first observed by Onapsis on March 14, 2025, affects SAP NetWeaver Java systems with the Visual Composer development environment enabled and not patched. Since the release of the emergency patch by SAP on April 24, 2025, activity has increased significantly. Customers with vulnerable SAP applications connected to the internet are strongly recommended to install patches and check their environments for compromise. On May 7, 2025, at 10 AM EST/4 PM CEST, Onapsis and Mandiant will host a live threat briefing. This event will cover a comprehensive look at CVE-2025-31324, its exploitation, detection and response strategies, a live demonstration of the IoC Scanner, and a Q&A with threat experts from Onapsis and Mandiant. Registration for the webinar can be done here. Successful exploitation of this vulnerability grants attackers full control over the system, including access to sensitive business data and processes, deployment of ransomware, and lateral movement. Regularly checking for updates to the tool is also advised, as this is an active campaign, and the tool will be updated as more IoCs and information become available. For more information on CVE-2025-31324 and updated threat intelligence, visit the Onapsis Research Labs Blog. It is essential to stay informed and proactive in the face of such critical threats. The final recommendations are to apply SAP Note 3594142 immediately, run the IoC Scanner to identify signs of compromise, and initiate SAP-specific incident response playbooks.
Read also:
- Global Content Dissemination Through Cross-Linguistic Voiceovers
- Mandated automobile safety technologies in the EU may be deemed "irrational," "erratic," and potentially dangerous, experts caution.
- AI-Generated Humor Spreads on Gemini Nano Banana: Light-hearted Modifications Spark Concerns over User Privacy
- New study reveals that Language Models can execute complex assaults independent of human intervention
