CVE-2025-31324: A Critical SAP Zero-Day in Active Exploitation

A critical zero-day vulnerability — CVE-2025-31324 — is shaking the enterprise tech world.
 In this episode, we dive deep into the alarming exploit targeting SAP NetWeaver Java systems, specifically the Visual Composer component, now under active attack.

This vulnerability enables unauthorized file uploads, which attackers are using to deploy webshells, cryptominers (like XMRig), and potential infostealers. Threat actors are already exploiting this flaw in the wild, as confirmed by leading cybersecurity firms and SAP itself.

You’ll hear:

• How attackers are weaponizing CVE-2025-31324 for remote code execution
• Real-world attack activity detected as early as April 26, 2025
• Tools and indicators of compromise (IOCs) released by SAP, Onapsis, Mandiant, Pathlock, and WithSecure
• What defenders need to do right now to patch or mitigate
• Why experts expect a second wave of attacks, as exploit code circulates publicly

We also cover:

• The CVSS 10.0 criticality score and what it means
• How attackers are using Living Off the Land (LOL) techniques, such as certutil, for lateral movement
• SAP’s emergency patch (Note #3594142) and temporary mitigation strategies

If your organization uses SAP, this is must-listen content. Even if it doesn’t, this episode is a masterclass in how fast zero-days go from discovery to weaponization — and how defenders can keep up.

🔐 Patching isn't optional anymore — it's urgent.