IoC Scanner for SAP Zero-Day (CVE-2025-31324) available

Onapsis provides an open source tool in collaboration with Mandiant

[datensicherheit.de, 05/02/2025] Onapsis is providing an open source tool in collaboration with Mandiant. It is designed to help companies strengthen SAP security by identifying Indicators of Compromise (IoCs) associated with the active exploitation of a recently patched vulnerability in SAP NetWeaver Application Server Java (CVE-2025-31324).

Highest Criticality Vulnerability

CVE-2025-31324 is a critical, unauthenticated remote code execution vulnerability in the Visual Composer component of SAP NetWeaver that allows threat actors to take full control of compromised SAP servers.

Overview of CVE-2025-31324

The vulnerability affects SAP NetWeaver Java systems where the Visual Composer development environment is enabled and unpatched. If successfully exploited, attackers have full control over the system, including unrestricted access to sensitive SAP business data and processes, ransomware implementation and lateral movement. The first exploitation observed by Onapsis was on March 14, 2025. Threat activity has increased significantly, even though SAP deployed an emergency patch on April 24.

Patche install and environment check for threats recommended

Due to their criticality and widespread use, customers with vulnerable internet-based SAP applications are strongly advised not only to install patches, but also to check their environments for vulnerabilities.

Open source scanner for SAP Zero-Day

The open source scanner, which was developed by Onapsis in collaboration with Mandiant, is designed to support SAP customers in various aspects:

• Determine the vulnerability of the system to CVE-2025-31324
• Identify known Indicators of Compromise (IOCs) against available campaign information
• Scan for unknown web executables in known exploit paths
• Collect suspicious files in a structured ZIP archive with directory for later analysis
• Scan the SAP HTTP access log (if available) for entries related to the exploitation of CVE-2025-31324
• Extract and store copies of identified log entries in a CSV file for further analysis

This is an active campaign. The tool will be further updated as soon as more IoCs and information are available. A regular check for updates is recommended by the manufacturer.

The scanner is available for free download here on the Onapis blog.

Recommended actions for companies

• Immediately use SAP Note 3594142
• Start IoC scanner to detect signs of compromise
• Trigger the SAP-specific Incident Response Playbooks

According to SAP, the release of this tool is part of its efforts to support defenders against critical threats.

Further information on this topic:

Onapsis
SAP NetWeaver Flaw Lets Hackers Take Full Control: CVE-2025-31324 Explained

datensicherheit.de, 08.04.2021
Kritische SAP-Anwendungen im Fokus Cyber-Krimineller