A dangerous SAP Zero-Day flaw has allowed attackers to hack into hundreds of systems worldwide, gaining the power to run malicious code remotely since January 2025.
The vulnerability, known as CVE-2025-31324, is now confirmed to allow remote code execution (RCE) — not just file uploads, as initially believed. It carries a perfect CVSS severity score of 10 out of 10. SAP released a patch on April 24, but attackers had already exploited the flaw days earlier.
Cybersecurity firms Onapsis and Mandiant discovered the attacks and found that threat actors had already broken into many SAP NetWeaver servers. In fact, some hackers came back later to launch more attacks using hidden tools they had left behind.
This zero-day isn’t limited to one sector. Victims span energy, retail, manufacturing, government, oil and gas, pharma, and media industries. The attack has spread across several regions, proving it’s a global threat.
According to Onapsis, attackers used POST, GET, and HEAD requests to trigger remote commands. These actions went beyond uploading files—they allowed full system control. The firm stressed that these attackers know SAP deeply. They moved stealthily and could maintain access even without webshells.
The timeline of the exploit is also alarming. Hackers began probing systems on January 20, 2025, long before the flaw became public. By the time SAP patched it, the damage was already done.
A second wave of attacks started on April 29. Security firm Forescout linked this phase to a Chinese threat actor, codenamed Chaya_004. Unlike the earlier attacks, this campaign was more targeted, focusing on specific industries and systems.
To help companies detect these intrusions, Onapsis and Mandiant have updated their open-source scanner tools. These updates now include the latest indicators of compromise (IoCs) tied to CVE-2025-31324.
Security experts are urging urgent action. If you can’t patch right away, use available mitigations. And if your SAP system is exposed to the internet, conduct a full compromise assessment immediately. The longer systems remain unprotected, the greater the risk.
