virus logo Threat Signal Report

SAP Netweaver Zero-Day Attack

What is the Attack?

A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild. This vulnerability affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in full compromise of the targeted system that could significantly affect the confidentiality, integrity, and availability of the targeted system.

The vulnerability stems from the SAP NetWeaver Visual Composer Metadata Uploader lacking proper authorization protection, which allows unauthenticated agents to upload potentially malicious executable binaries.

CISA has added the CVE to their Known Exploited Vulnerabilities Catalog on April 29, 2025.

What is the recommended Mitigation?

The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.1x (all SPS). Although the vulnerable component is not included in NetWeaver's default configuration, SAP security firm Onapsis highlights that it is commonly enabled in many installations. Onapsis Blog

SAP has released an emergency patch for this issue on April 24, 2025
https://me.sap.com/notes/3594142

What FortiGuard Coverage is available?

  • Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2025-31324.​

  • Antimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.

  • Indicators of Compromise (IOC): FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the SAP NetWeaver Vulnerability (CVE-2025-31324).

  • Incident Response: The FortiGuard Incident Response team is available to assist with any suspected compromise.
    Experienced a Breach? Let the Fortinet Incident Response Team Help

description-logoOutbreak Alert

FortiGuard’s global sensor network report consistently high levels of attack attempts targeting vulnerabilities associated with Earth Lamia APT campaigns. According to Trend Research, the hacking group known as Earth Lamia has been actively targeting a range of sectors- including finance, government, IT, logistics, retail, and education- shifting its focus based on evolving objectives and time periods. The group is known for its high level of activity and primarily exploits known vulnerabilities in public-facing systems and web applications to gain access.

View the full Outbreak Alert Report

Additional Resources

Earth Lamia APT Attack | Outbreak Alert | FortiGuard Labs
Auto-Color Backdoor: How Darktrace Thwarted a Stealthy Linux Intrusion


Released Date May 09, 2025
Tags Earth Lamia APT Attack Threat Signal
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »