CVE-2025-31324: Vulnerability in SAP NetWeaver Exploited in the Wild
CVE-2025-31324, a zero day vulnerability in SAP NetWeaver, has been generating a good deal of chatter in recent days. Media outlets report that it is being targeted by multiple ransomware groups and Chinese Advanced Persistent Threat (APT) groups. The unauthenticated file upload vulnerability affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. SAP has released patches to address CVE-2025-31324. On April 25, Tenable Research Response Team published a blog post about the vulnerability and provided guidance on how to identify affected systems using Tenable plugins. The blog post can be found here: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild Media outlets reporting on CVE-2025-31324 include Bleeping Computer, CyberScoop and Dark Reading. On May 13, as part of the SAP Security Patch Day, SAP released a patch for CVE-2025-42999, a deserialization vulnerability affecting SAP NetWeaver. Onapsis identified and reported this flaw to SAP and noted this was an additional vector for exploitation that the April patch did not address. To ensure full remediation from these vulnerabilities, it’s imperative that both the April and May patches are applied to SAP NetWeaver hosts. If you have questions or concerns about this vulnerability, please submit a comment below or contact your Tenable sales representative.Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC). On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network. The CVEs from the CSA are as follows: CVE Description CVSSv3 VPR CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 10 CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10 10 CVE-2023-20273 Cisco IOS XE Web UI Command Injection Vulnerability 7.2 8.4 CVE-2023-20198 Cisco IOS XE Web UI Elevation of Privilege Vulnerability 10 9.9 CVE-2018-0171 Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability 9.8 9.2 In addition to the FAQ, the team performed an analysis of Tenable telemetry data and found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability
On August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM. According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised. At the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this post was published. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CrushFTP Zero-Day Exploited (CVE-2025-54309)
On July 18, CrushFTP warned that a zero-day in its CrushFTP software was being exploited in the wild. CVE Description CVSSv3 CVE-2025-54309 Unprotected Alternate Channel Vulnerability 9.0 According to CrushFTP, the vulnerability was first discovered as being exploited on July 18 at 9AM CST, though they caution that exploitation may have “been going on for longer.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE...
CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild On October 16, Cisco’s Talos published a blog post warning of a zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software that has been exploited in the wild by unknown threat actors. According to the security advisory, CVE-2023-20198 is a privilege escalation vulnerability affecting Cisco IOS XE software, receiving the highest possible CVSS score of 10. Successful exploitation of this vulnerability would allow an attacker to create a user account with full administrative privileges. At this time, patches are not yet available to remediate this vulnerability. However Cisco’s security advisory does provide mitigation guidance to apply immediately to prevent exploitation of affected devices. For more information, please visit our blog.
