Freely subscribe to our NEWSLETTER

Details on a Common Weaponization Timeline
As mentioned in the May CrowdSec VulnTracking report, SAP NetWeaver (CVE-2025-31324) was a very interesting case study that highlighted the fact that mainstream malicious actors and legitimate security scanners depend on the same PoCs/write-ups to act. Let’s dive into the timeline and key findings
Key findings
• Early reports suggest that a select group of highly skilled attackers weaponized the vulnerability before its public disclosure, but mass exploitation began immediately after the exploit details surfaced.
• Common scanning companies were flagged looking for this vulnerability. The first to take action by order of appearance were cert.pl, hadrian.io, and stretchoid, the latter one being still active today and accountable for most of the volume

About the exploit
A critical zero-day vulnerability (CVSS 10.0) was identified in SAP NetWeaver’s Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, leading to remote code execution with high privileges.

Trend analysis
• First Publish Date (April 24, 2025): Vulnerability disclosed; no public exploits available.
• CrowdSec Network Monitoring Begins (April 26, 2025): No public exploits exist yet, but we deployed a detection rule. Early probes came from advanced actors, 37% used new, disposable infrastructure, while 63% linked to known threats. Alert volume remains very low.
...