A new advisory from cybersecurity company ReliaQuest warns of a significant vulnerability affecting SAP NetWeaver. This security hole has attracted the attention of highly sophisticated cybercriminals who are already exploiting it. The Cybersecurity and Infrastructure Security Agency (CISA) last week released an alert on yet another serious vulnerability on the very same platform. This disclosure comes on the heels of their alert. This previously undisclosed vulnerability gives bad actors the ability to maintain a permanent, remote access foothold. They can use these to deploy other payloads, creating a very real threat to organizations, particularly in the manufacturing industries.
ReliaQuest’s own investigations have demonstrated that numerous incidents used the Brute Ratel C4 post-exploitation framework. They further used methods such as those used with Heaven’s Gate to evade endpoint defenses. The attackers have already made clear their enthusiastic interest in exploiting any and all weaknesses found in SAP systems. Their technical advanced means show an incredible amount of preparation and precision.
Recent Exploitation Trends
CISA’s warning about the previous high-severity NetWeaver flaw (CVE-2017-12637), which allows attackers to access sensitive SAP configuration files, was issued just over a month before ReliaQuest’s report. This timing indicates an unsettling trend in exploitation leveraging vulnerabilities in SAP systems, which is causing concern among cybersecurity experts.
As ReliaQuest observed, most compromised systems had up-to-date patches installed, emphasizing the constantly changing nature of these threats. Rapid7 confirmed this worrying trend, observing exploitation activity in hundreds of customer environments going back to March 27, 2025. The frequency and targeting of these attacks have become an alarming trend that organizations must proactively focus on.
As we know, the majority of attacks have focused on manufacturing companies, an industry that has historically been especially susceptible. The attackers have utilized the compromised directory “j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/” to drop web shells, which facilitate ongoing access and manipulation of the affected systems.
Methodology of Exploitation
The entire exploitation process seems to be pretty methodical. In many cases, threat actors spent multiple days moving from initial access to additional exploitation. This delay could be a reflection of a tactical decision to obfuscate detection while they gain a presence in the desired operating sphere.
Our findings illuminate that initial access brokers (IABs) operate as gatekeepers in this context. Or they might monetize access to the systems they compromise, giving other threat groups new, lucrative entry points. This suggests a lucrative market for exploited access points. Now more than ever, organizations need to act to strengthen their security posture against these sophisticated threats.
The root of this new flaw is traced back to the “/developmentserver/metadatauploaderservlet_jsp/irj/root/” path within SAP NetWeaver. This classified vulnerability permits attackers to gain remote access to systems. They can provide other payloads, increasing the challenge that security professionals have in defending their networks.
Implications for Organizations
All organizations using SAP NetWeaver should be aware and take action in light of these recent developments. The existence of a zero-day exploit should automatically raise alarms both for the immediate existence of widespread exploitation. As to companies, no amount of patching and system updating should replace a daily practice of monitoring, let alone rethinking systems.
Both government and private organizations, particularly within the manufacturing arena, need to aggressively complete security assessments. In addition, they should always have strong incident response plans in place to be truly safe. As we’ve documented in depth through our attack stories, the lethal precision of modern attacks has made any form of endpoint protection alone ineffective.