Indicators of Compromise Scanner for SAP Zero-Day (CVE-2025-31324)
Onapsis, in collaboration with Mandiant, is releasing an open source tool to help organizations identify Indicators of Compromise (IoCs) associated with active in-the-wild exploitation of a recently patched vulnerability in SAP NetWeaver Application Server Java (CVE-2025-31324).
CVE-2025-31324 is a critical unauthenticated remote code execution vulnerability in the Visual Composer component of SAP NetWeaver, allowing threat actors to take full control of vulnerable SAP servers.
Onapsis and Mandiant are currently supporting multiple global organizations in incident response efforts related to this issue.
For context on the threat behind this tool, read our overview of the active exploitation of CVE-2025-31324.
Overview of CVE-2025-31324
This vulnerability affects SAP NetWeaver Java systems where the Visual Composer development environment is enabled and unpatched. Successful exploitation provides attackers with full control over the system, including unrestricted access to SAP sensitive business data and processes, deployment of ransomware and lateral movement. Onapsis’ first observed exploitation dates back to March 14, 2025, and activity has significantly increased since the emergency patch was released by SAP on April 24, 2025.
Due to the critical nature of the issue and widespread exploitation, customers with vulnerable internet-facing SAP applications are strongly encouraged to not only patch but also assess their environments for compromise.
More information about the issue can be found by visiting Onapsis’ threat research on CVE-2025-31324.
About the Scanner
The open source scanner, developed by Onapsis in collaboration with Mandiant, is designed to help SAP customers:
- Detect whether the system is vulnerable to CVE-2025-31324
- Identify known Indicators of Compromise (IOCs) related to available campaign information
- Scan for unknown web-executable files in known exploit paths
- Collect suspicious files into a structured ZIP archive with a manifest for future analysis
Please note that this is an active campaign, and we will continue to update this tool as more IoCs and information becomes available. Check for updates often.
🔗 Download the scanner on GitHub.
LICENSE & LEGAL DISCLAIMER: This tool is released under the Apache 2.0 open source license. This tool is provided as-is, without warranty or liability.
TECHNICAL DISCLAIMER: This tool automates checking of vulnerability and IOC information running in live OS with the permissions of the user executing the script. This is NOT a substitute for forensic analysis or advanced incident response. Sophisticated attackers often clean up evidence of their intrusion while deploying rootkits and leveraging techniques to evade detection.
Live Threat Briefing on May 7, 2025
Onapsis and Mandiant will host a live threat briefing on Wednesday, May 7, 2025 at 10am EST / 4pm CEST, to provide:
- A deep dive into CVE-2025-31324 and its exploitation in the wild
- Detection and response strategies
- Live walkthrough of the IoC scanner
- Q&A with Onapsis and Mandiant threat experts
📅 Register for the webinar here.
For additional technical analysis, visit our SAP Zero-Day Threat Research Hub or watch the on-demand briefing.
Final Recommendations
- Apply SAP Note 3594142 immediately
- Run the IoC scanner to identify signs of compromise
- Initiate your SAP-specific incident response playbooks
The release of this tool is part of Onapsis and Mandiant’s efforts to support defenders during critical threats. For more details on CVE-2025-31324 and threat intelligence updates, visit the Onapsis Research Labs blog
