CISO

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEM  SAP 
Severity  Critical 
Date of Announcement  2025-05-13 
No. of Vulnerabilities Patched  16 
Actively Exploited  Yes 
Exploited in Wild  Yes 
Advisory Version  1.0 

Overview 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE). 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers. 

Vulnerability Name  CVE ID  Product Affected  Severity  CVSS Score 
Unauthenticated File Upload (RCE)  CVE-2025-31324  SAP NetWeaver  Critical  10.0 
Insecure Deserialization (RCE)  CVE-2025-42999  SAP NetWeaver  Critical  9.1 

Technical Summary 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2025-31324  SAP NetWeaver Visual Composer  Unauthenticated file upload vulnerability in development server.  Remote Code Execution (RCE) without privileges 
CVE-2025-42999  SAP NetWeaver Visual Composer  Insecure deserialization in Visual Composer user-accessible function.  Remote Code Execution (RCE) without privileges 

Source: SAP 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed: 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6) 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3) 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9) 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7) 
  • CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7) 

Remediation

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products. 

General Recommendations: 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk. 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads. 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities. 

Conclusion: 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised. 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments. 

References

 

 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Security Advisory

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

May 2025 Patch Tuesday by Microsoft

Continue Reading
Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Blogs

Identity Based Attacks, the Growing Risk; How do Orgs’ Navigate

In 2025 identity based attacks have surged up and research reveals how identity based attacks  have affected  identities, endpoints and cloud assets over 4 million past year as reported by threat detection report 2025 by  Red Canary.

As organizations grow and continue to harness technology, identity based attacks grow to and risk associated with them. And this brings us to understand he urgent need for strong identity protection as adversaries explore new techniques.

The Threat landscape is vast and have variety to support the attack includes evolving ransomware tactics, supply chain weaponization and attacks on non-human identities.

In this blog we take a look at what rate identity based attacks are growing and what is required to strengthen organizational strategies for resilience.

Of late the type of attacks that are taking center stage are Social engineering based attacks that has gained popularity as per CrowdStrike report.

Voice phishing (vishing) attacks surged by 442% between the first and second half of 2024 as groups like CURLY SPIDER trick employees into handing over login details.

Those who don’t steal credentials can buy them — access broker activity was up nearly 50% in 2024, reflecting the growing market for illicit access.

Further, more than half (52%) of observed vulnerabilities in 2024 were tied to initial access.

The weakest link in Identity threats

With the usage of cloud most of the enterprises are shifting workload to cloud or hybrid cloud environment and now cloud infrastructure remains one of the points where frequency of attack has increased to achieve initial access.

This also includes increases in  macOS threats, info stealers and business email compromise. VPN based abuse is hard to detect so a easy gateway for criminals to launch ransomware based attacks and these products are actually leveraging identity based attacks including insider threats.

Threat researchers from Sygnia have noticed misconfigured Identity and Access Management (IAM) policies are one of the biggest culprits in creating openings for lateral movement and privilege escalation by attackers.

Popular social media websites and apps are breeding grounds for identity based attack that started from social engineering tactics being deployed by state sponsored threat groups to deliver their harmful intentions.

Example: Hackers gained access to Microsoft 365 tenant and authenticated against Entra ID using captured session tokens. This technique not only bypassed multi-factor authentication (MFA), but also circumvented other security controls that were in place.

AWS access keys were discovered on the compromised devices as well, giving the attackers two ways into the AWS environment—through direct API access and the web console via compromised Entra ID users.

Now business are looking to move beyond passwords and weak MFA. Passkeys, Biometric authentication, Risk-based access, and Continuous identity verification will become non-negotiable.

Bolstering organizations identity governance, adopting zero trust principles and participating in identity-focused red team assessments will be the need of the hour.

What can security leaders do to Stay Ahead of Identity-Based Attacks in 2025?

Passwords aren’t enough these day nor are MFA as attackers are advanced in techniques and wont wait to break authentication when they can bypass, manipulate, or socially engineer their way in.

  • Go passwordless: FIDO2, Passkeys, Biometrics are not required or eliminate them
  • Enforce phishing-resistant authentication: No SMS, no email-based resets, no security questions.
  • Implement real-time identity monitoring: Spot privilege escalations before attackers use them.
  • Require device trust: If a device isn’t secure you are not secured.

Organizations can stay ahead of this growing threat by leveraging GaarudNode which seamlessly integrate to detect and mitigate exposed credentials in real time. 

GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
GaarudNode Identifies security flaws early in the development process by scanning source code, helping developers detect issues like insecure coding practices or logic errors.
Tests running applications in real-time to identify vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and other runtime threats.
Detects third-party libraries and open-source components, ensuring that your dependencies don’t introduce risks.
Continuously tests and monitors your APIs for vulnerabilities such as authentication flaws, data exposure, and insecure endpoints.


Do connect or DM for queries

Source: https://www.crowdstrike.com/en-us/blog/how-to-navigate-2025-identity-threat-landscape/

Security Advisory

OpenCTI Web-Hook Flaw Enables Full System Compromise

Summary

OEMFiligran
SeverityCritical
CVSS Score9.1
CVEsCVE-2025-24977
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ Webhook Remote Code Execution vulnerability  CVE-2025-24977OpenCTI  Critical  6.4.11

Technical Summary

The vulnerability resides in OpenCTI’s webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.

Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.

Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-24977  OpenCTI (≤ v6.4.10)The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container.  Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure.

Remediation:

  • Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
  • Restrict user permissions: Especially the manage customizations capability — limit access to trusted personnel only.
  • Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
  • Implement container hardening practices: Reduce risk of secret exposure by:
    • Avoiding storage of secrets in environment variables when possible.
    • Using dedicated secret management tools.
    • Running containers with least privilege and limiting runtime capabilities.

The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.

Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.

The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.

Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.

References:

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

Summary of Security Advisory

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

OEM Tesla 
Severity High 
CVSS Score 7.5 
CVEs CVE-2025-2082 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

This provides potentiality in giving access to critical vehicle controls; Tesla has addressed the issue in firmware version 2024.14. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Remote Code Execution vulnerability  CVE-2025-2082 Tesla Model 3   High  7.5 

Technical Summary 

The vulnerability lies in the VCSEC module, responsible for security functions like immobilization, door locking, and TPMS monitoring.

An integer overflow occurs when the VCSEC processes malformed certificate responses transmitted via the TPMS subsystem. Exploiting this flaw enables memory corruption, leading to remote code execution.

The attack does not require user interaction or authentication and can be carried out over adjacent wireless interfaces such as Bluetooth Low Energy (BLE) or Ultra-Wideband (UWB).

Once compromised, attackers may issue unauthorized commands to the Controller Area Network (CAN) bus, which governs safety-critical systems including braking, steering, and acceleration. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2082   Tesla Model 3 (pre-2024.14) Integer overflow in VCSEC module’s certificate handling logic triggered by malformed TPMS messages.  Remote code execution, unauthorized CAN bus access, potential control over critical systems 

Remediation

  • Update Tesla Firmware: Owners should update firmware version 2024.14 via the vehicle’s touchscreen or over-the-air (OTA) updates. 
  • Avoid Wireless Threats: Refrain from connecting to unknown BLE/UWB networks and using unauthorized TPMS accessories. 

Conclusion: 
This vulnerability demonstrates how auxiliary vehicle systems like TPMS can serve as entry points for serious security breaches. While Tesla’s prompt patch release, reflects good incident response, this case underscores the urgency for ongoing scrutiny of wireless automotive components. Owners must apply the firmware update and maintain secure update practices to reduce the risk of exploitation. 

References

Security Advisory

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw. 

OEMLinux
SeverityHigh
CVSS Score7.8
CVEsCVE-2025-21756
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
​ Use-After-Free vulnerability  CVE-2025-21756Linux kernel  High  7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-21756    Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.      Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

  • Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
  • Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
  • Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
  • Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:



Blogs

Frequency & Sophistication of DDoS Attack rise to198% in 1stQ 2025

Ways to protect enterprise assets and infrastructure is not only a CISO’s responsibility but a cause of worry for CXO, CTO ‘s as a powerful DDoS attack can cause havoc on revenues, productivity and reputation.

Threat mitigation from any DDoS attack, requires services from secured and trusted partners who can offer expertise and scale whenever required to mitigate the threats that emerge from DDoS attack.

This is also important from cost point of view as large enterprise bear the burnout and it requires expertise to constantly monitor and clean the traffic that get routed to customer network.

It is important organization find service oriented partners who have skilled networking capacity and processing power so that in face of attack, they can automatically respond to DDoS attacks, detect and mitigate.

According to MazeBolt research, even the best DDoS protections leave enterprises highly exposed. Typically, large-scale, global organizations are only 60% protected – leaving the door wide open for cybercriminals to exploit the gaps.

Statistics show from past DDoS attacks have taken down large services like Spotify, GitHub, Microsoft services like Outlook and OneDrive.

According to new data released by Netscout, distributed denial of service (DDoS) attacks are on the rise. There were 17 million such attacks in 2024 – up from 13 million the year before. It’s an astonishing rise that has big implications for your business.

Defining DDoS attack

When a cyber criminal or malicious actor push for a service with additional requests than it can handle, making the resources unavailable and non-functional subsequently bringing it down.

In cases DDoS attack forcefully shuts a website, network, or computer offline by overloading it with requests. We often hear Black Friday sales out in big giant displays, these often drive a lot of internet traffic towards the brand or one destination at once.

A DDoS attack works when several different IP addresses target the same platform at same time that can overwhelm the server in question and bring it down.

Often, this attack is carried botnets which are a collection of devices when infected with malware, they can controlled remotely by cyber criminals. DDoS attack is executed by several different actors at the same time.

Increase in DDoS Attack in 2025

DDoS attacks increased by 198% compared to the last quarter of 2024 and by 358% compared to the same quarter last year.

On April 3 attack targeted an unnamed online betting organization, lasting around 90 minutes, starting at 11:15 with a surge of 67Gbps, before escalating sharply to 217Gbps by 11:23, and peaked just short of 1Tbps at 965Gbps by 11:36.

Research shows A total of 20.5 million DDoS attacks were stopped during the period, of which 6.6 million attacks were directly targeted at Cloudflare’s infrastructure. Gaming servers were the most popular target for DDoS attacks. Attack patterns remains spotted during the 2024 UEFA European Football Championship, held in Germany, where spikes in DDoS activity also targeted online betting sites.

In Geopolitics DDoS has emerged as a tool that is often and can be abused to target attacks.

According to research by NETSCOUT, the second half of 2024 saw almost 9 million DDoS attacks, a 12.75% increase from the first six months. Israel in particular saw a 2,844% increase in attacks, seeing a high of 519 in one day.

The above mentioned Russian hacking group, NoName057(16), focused primarily on government services in the UK, Belgium, and Spain. Georgia also saw a 1,489% increase in attacks in the lead up to the “Russia Bill”, highlighting its use as a political weapon.

Network-layer DDoS attacks were the primary driver of the overall surge. In Q1 2025, 16.8 million of these attacks were blocked, representing a 509% year-over-year rise and a 397% increase from the prior quarter.

Hyper-volumetric attacks, defined as those exceeding 1 terabit per second (Tbps) or one billion packets per second (Bpps), have become increasingly common. Cloudflare reported approximately 700 such attacks during the quarter, averaging about eight per day.

Major targets of DDoS attack

Globally, there have been notable changes in the most-targeted locations. Germany moved up four spots to become the most attacked country in Q1 2025.

Turkey made an 11-place jump to secure second position, while China dropped to third. Hong Kong, India, and Brazil also appeared among the top most-attacked countries, with movements seen across several regions in the rankings. Australia, for its part, remained outside the global top ten.

Industries facing the most pressure have shifted this quarter as well. The Gambling & Casinos sector moved to the top position as the most targeted industry, after climbing four places.

Telecommunications dropped to second, and Information Technology & Services followed in third.

Other industries experiencing notable increases in attacks included Cyber Security, which jumped 37 places, and Airlines, Aviation & Aerospace. In Australia, the industries facing the most attacks were Telecommunications, Information Technology and Services, Human Resources, and Consumer Services.

The report detailed attack vectors and trends, showing that the most common technique at the network layer remains SYN flood attacks, followed by DNS flood and Mirai-launched attacks.

Among HTTP DDoS attacks, more than 60% were identified and blocked as known botnets, with others attributed to suspicious attributes, browser impersonation, and cache busting techniques.

Cloudflare observed significant surges in two emerging attack methods. CLDAP reflection/amplification attacks grew by 3,488% quarter-over-quarter, exploiting the connectionless nature of the protocol to overwhelm victims with reflected traffic.

Similarly, ESP reflection/amplification attacks rose 2,301%, underscoring vulnerabilities in systems using the Encapsulating Security Payload protocol.

Despite the increase in the volume and size of attacks, the report noted that 99% of network-layer DDoS attacks in Q1 2025 were below 1 Gbps and one million packets per second.

Likewise, 94% of HTTP attacks fell below one million requests per second. Most attacks were short-lived, with 89% of network-layer and 75% of HTTP attacks ending within 10 minutes, but the impact can persist much longer due to the resulting service disruptions.

Addressing the rise of DDoS attack & Mitigation solution

DDoS attack intends to disrupt some or all of its target’s services there are variety of DDoS attacks. They are all uniquely different. There are three common types of DDoS attacks:

  • Volumetric (Gbps)
  • Protocol (pps)
  • Application layer (rps) attacks.

An effective DDoS attack is launched when near by network detects easily the cheap IoT devices like toys, small appliances, thermostats, security camera and Wi-Fi routers. These devices makes it easy to launch an effective attack that can have massive impact.

Threat Mitigation of DDoS attack

Application Layer attacks can be detected early with solutions by monitoring visitor behavior, blocking known bad bots and constant testing.

To do this more effectively Intrucept recently launched Cyber Analytics platform

Cyber Analytics platform 𝘀𝗲𝗮𝗺𝗹𝗲𝘀𝘀𝗹𝘆 𝗯𝗿𝗶𝗻𝗴𝘀 𝘁𝗼𝗴𝗲𝘁𝗵𝗲𝗿 𝘁𝗵𝗲 𝗽𝗶𝗹𝗹𝗮𝗿𝘀 𝗼𝗳 𝗺𝗼𝗱𝗲𝗿𝗻 𝗰𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝗻𝘁𝗼 𝗼𝗻𝗲 𝘂𝗻𝗶𝗳𝗶𝗲𝗱 𝗲𝗰𝗼𝘀𝘆𝘀𝘁𝗲𝗺 𝗶.𝗲. 𝗯𝗲𝘀𝘁-𝗶𝗻-𝗰𝗹𝗮𝘀𝘀 𝗮𝘀 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗿𝗼𝗱𝘂𝗰𝘁𝘀.

✅ XDR (Extended Detection & Response)
✅ Next-Gen SIEM (Security Information & Event Management)
✅ SOAR (Security Orchestration, Automation & Response)
✅ Threat Intelligence
✅ AI-Powered Security Analytics
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗱𝗲𝗹𝗶𝘃𝗲𝗿𝘀:
Real-time threat detection across endpoints, cloud, networks, and apps
Automated incident response to reduce MTTR & human fatigue
AI-driven insights to power proactive, risk-based decision-making
Built for agility, scalability & actionable intelligence; our platform gives security teams the edge required to move from playing catch-up to staying ahead.
𝗖𝘆𝗯𝗲𝗿 𝗔𝗻𝗮𝗹𝘆𝘁𝗶𝗰𝘀 𝗿𝗲𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝘀 𝗮 𝘀𝘁𝗲𝗽 𝗳𝗼𝗿𝘄𝗮𝗿𝗱 𝗶𝗻 𝗮𝗰𝗵𝗶𝗲𝘃𝗶𝗻𝗴 𝗯𝗲𝘁𝘁𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗼𝘂𝘁𝗰𝗼𝗺𝗲𝘀.

Sources; Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report

DDoS attacks have skyrocketed 358% year-over-year, report says

Security Advisory

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

As per researchers hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. Regarding this urgent patch has been released by SAP to fix CVE-2025-31324, a zero-day vulnerability in SAP NetWeaver Visual Composer.

Critical SAP NetWeaver Zero-day Vulnerability Exploited in the Wild 

The vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

Several cybersecurity companies have reported active exploitation in the wild.

Summary 

OEM SAP 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-31324 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability enables remote uploading and execution of malicious files by unauthenticated attackers, potentially compromising the entire system.

It is highly advised to implement patching or mitigation measures right away in order to guard against possible espionage, sabotage, data theft, and operational disruption. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Missing Authorization in Metadata Uploader  CVE-2025-31324 SAP  Critical  10.0 

Technical Summary 

The vulnerability stems from a missing authorization check in the Metadata Uploader component of SAP NetWeaver Visual Composer.

Attackers can exploit this by sending crafted unauthenticated POST requests to the development server/meta data uploader endpoint, allowing them to upload arbitrary JSP webshell files.

Once uploaded, attackers can interact with these shells via simple GET requests to execute arbitrary commands, resulting in remote code execution (RCE) with <sid>adm operating system privileges — effectively giving full control over SAP systems. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-31324  SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) Missing authorization check at /developmentserver/metadatauploader enables unauthenticated malicious file uploads. Webshells planted can be used to execute OS-level commands, deploy additional malware, and move laterally across the network. Full system compromise including: 
– Remote Command Execution 
– Privilege Escalation 
– Data Exfiltration 
– Ransomware Deployment 
– Potential Espionage/Sabotage/Fraud 

Key Exploitation Details: 

  • Exploited Path: /developmentserver/metadatauploader 
  • Common Webshell Files: helper.jsp, cache.jsp, and others with randomized names. 
  • Post-Exploitation Tools: 
  • Brute Ratel: Used for C2 operations, credential theft, privilege escalation. 
  • Heaven’s Gate: 32-to-64 bit transition technique for evading endpoint detection. 

Risk Factors: 

  • Systems where Visual Composer is enabled (even though it is not enabled by default). 
  • Systems exposed to the internet. 
  • Systems without custom security measures protecting the Metadata Uploader endpoint. 

Remediation

  • Apply SAP Patch: Updated the patches released by SAP without waiting for routine patch cycles. 
  • Restrict Access: Block external access to the /development server/metadata uploader endpoint via firewall or reverse proxy rules. 
  • Disable Visual Composer: If Visual Composer is not critical to business operations, disable it to remove the attack surface. 

Recommendations: 

  • Conduct Threat Hunting: 

Scan for suspicious JSP files (e.g., helper.jsp, cache.jsp) in these directories: 

  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work 
  • /j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync 
  • Monitoring and SIEM: Forward logs from the NetWeaver server to SIEM tools and monitor for unauthorized file upload activity. 
  • Utilize Open-Source Tools: Use scanners (such as those released by Onapsis) to check system vulnerability. 

Conclusion: 
Given the criticality and active exploitation of CVE-2025-31324, organizations running SAP NetWeaver Visual Composer should prioritize patching and mitigation efforts. The potential for full system compromise, ransomware attacks, and data exfiltration represents a severe business risk. Immediate action is strongly advised to secure SAP environments and prevent exploitation. 

References

Scroll to top