CVE-2025-31324 exploit attempts on the rise

Active exploitation of SAP NetWeaver Zero-Day CVE-2025-31324 surges
At the end of April, the CrowdSec Network detected a wave of exploitation attempts targeting a critical zero-day vulnerability (CVSS 10.0) in SAP NetWeaver's Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files, leading to remote code execution with high privileges.

Key findings
• The CrowdSec Network successfully detected coordinated actors exploiting this vulnerability for the first time on April 26, 2025.
• Now, the number of exploiters has increased 20-fold, and the CrowdSec Network has identified several threat actors behind it with more than 1,700 IPs actively scanning for this vulnerability.
• While some are flagged as benign actors, such as Stretchoid, some are also truly malicious.

About the exploit
A critical zero-day vulnerability (CVSS 10.0) was identified in SAP NetWeaver's Visual Composer component. This flaw allows unauthenticated attackers to upload arbitrary files via the /developmentserver/metadatauploader endpoint, leading to remote code execution with high privileges. Active exploitation in the wild was confirmed, with attackers deploying web shells and tools like Brute Ratel to gain persistent access.

Trend analysis
• April 25, 2025: The CrowdSec Network starts flagging the first exploitation attempts.
• April 28, 2025: The CrowdSec Network publicly communicated about 40 IPs exploiting the CVE.