SAP zero-day vulnerability under widespread active exploitation | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers attribute the attacks to an initial access broker who is exploiting the 10.0 critical vulnerability.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/sap-netweaver-zero-day-exploit-cve-2025-31324\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"SAP zero-day vulnerability under widespread active exploitation\"> <meta property=\"og:description\" content=\"Researchers attribute the attacks to an initial access broker who is exploiting the 10.0 critical vulnerability.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/sap-netweaver-zero-day-exploit-cve-2025-31324\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-04-25T17:51:21+00:00\"> <meta property=\"article:modified_time\" content=\"2025-04-25T17:51:25+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1744740145g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1745421713g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740691656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=a815169637cf454b7376\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/84307\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=84307\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsap-netweaver-zero-day-exploit-cve-2025-31324%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsap-netweaver-zero-day-exploit-cve-2025-31324%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-84307 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/sap-netweaver-zero-day-exploit-cve-2025-31324\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.9180327868852\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.454635108481\">\n<div class=\"single-article__header-content\" readability=\"34.054054054054\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/sap-netweaver-zero-day-exploit-cve-2025-31324\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Researchers attribute the attacks to an initial access broker who is exploiting the 10.0 critical vulnerability. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/84307\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> SAP software is used throughout the Fortune 500. The company is dealing with a critical software bug disclosed this week. (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.961139896373\"><body readability=\"96.523230879199\"><\/p>\n<p>Threat hunters and security researchers have observed widespread exploitation of a zero-day vulnerability affecting SAP NetWeaver systems. The unrestricted file upload vulnerability \u2014 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-31324\">CVE-2025-31324<\/a> \u2014 has a base score of 10 on the CVSS scale and allows attackers to upload files directly to the system without authorization. <\/p>\n<p>The software defect, which affects the SAP Visual Composer component for SAP NetWeaver, was <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise\/\">discovered and published by ReliaQuest<\/a> on Tuesday. SAP issued an <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/april-2025.html\">emergency patch for the vulnerability<\/a> on Thursday, but the enterprise company\u2019s security advisory is only available to SAP customers with login credentials. SAP did not immediately respond to a request for comment. <\/p>\n<p>\u201cThis isn\u2019t a theoretical threat \u2014 it\u2019s happening right now,\u201d watchTowr CEO Benjamin Harris said in an email.<\/p>\n<p>\u201cwatchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access. This active in-the-wild exploitation and widespread impact makes it incredibly likely that we\u2019ll soon see prolific exploitation by multiple parties. If you thought you had time, you don\u2019t.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Researchers don\u2019t know how many organizations have been affected by active exploitation of the vulnerability to date, but watchTowr confirmed it has observed widespread impact across critical industries. \u201cAttempts and probes definitely spiked today,\u201d Harris said. <\/p>\n<p>It\u2019s unclear how many SAP customers are already compromised, but SAP\u2019s presence in government and enterprise systems is vast. The company has more than 400,000 customers globally.<\/p>\n<p>\u201cSAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers,\u201d ReliaQuest researchers said in a blog post.<\/p>\n<p>After querying internet server search engines Shodan and Censys, Onapsis estimates about 10,000 SAP instances are potentially vulnerable. <\/p>\n<p>\u201cDoing further analysis of SAP Netweaver Application Servers Java, we could estimate that between 50-70% of these types of systems that are internet-facing indeed have the component available. This estimation was done by checking the standard URL of the Visual Composer in the target systems,\u201d Onapsis CTO JP Perez-Etchegoyen said in an email.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>SAP Visual Composer is a modeling tool for SAP NetWeaver, a critical decades-old platform that supports various SAP applications and provides integrations with various sources. <\/p>\n<p>\u201cSAP Visual Composer is not installed by default, but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding,\u201d Perez-Etchegoyen said in a <a href=\"https:\/\/onapsis.com\/blog\/active-exploitation-of-sap-vulnerability-cve-2025-31324\/\">Friday blog post<\/a>.<\/p>\n<p>The critical software defect allows unauthenticated attackers to abuse built-in functionality to upload files to SAP NetWeaver instances and achieve full remote code execution, resulting in total system compromise, according to Harris. <\/p>\n<p>\u201cWe believe the majority of exploitation occurred prior to disclosure, and believe it\u2019s still the same gang exploiting vulnerable systems right now,\u201d Harris said.<\/p>\n<p>Researchers haven\u2019t attributed the attacks to a specific threat group, but watchTowr has high confidence an initial access broker is behind the attacks, deploying backdoors that can or already have been sold to ransomware groups. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThe fatal flaw in their plan though, and ultimately the challenge they may now face, is that the deployed backdoors did not restrict who could utilize the backdoor,\u201d Harris said. \u201cNow that this information is public, ransomware gangs will likely discover the deployed backdoors by themselves and bypass the need for said initial access broker.\u201d<\/p>\n<p>Researchers and incident responders are investigating multiple customer incidents and encourage SAP NetWeaver customers to patch their systems immediately. <\/p>\n<p>\u201cThis is as bad as it can get,\u201d Perez-Etchegoyen said. \u201cWe are talking about a CVSS 10 vulnerability, remotely exploitable through HTTP, unauthenticated and allowing for full system compromise. Not only that, but there are threat actors exploiting it in the wild.\u201d<\/p>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.0956221198157\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/04\/sap-zero-day-vulnerability-under-widespread-active-exploitation-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/sap-netweaver-zero-day-exploit-cve-2025-31324\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SAP zero-day vulnerability under widespread active exploitation | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1765,282,78,256,4197,288,643,1170],"tags":[1770,286,86,262,4198,294,645,1171],"class_list":["post-7571","post","type-post","status-publish","format-standard","hentry","category-cve","category-cybercrime","category-cybersecurity","category-research","category-sap","category-threats","category-vulnerabilities","category-zero-days","tag-cve","tag-cybercrime","tag-cybersecurity","tag-research","tag-sap","tag-threats","tag-vulnerabilities","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cve\/\" rel=\"category tag\">CVE<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sap\/\" rel=\"category tag\">SAP<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerabilities\/\" rel=\"category tag\">vulnerabilities<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7571"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7571\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7571,"date":"2025-04-25T12:51:21","date_gmt":"2025-04-25T17:51:21","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=84307"},"modified":"2025-04-25T12:51:21","modified_gmt":"2025-04-25T17:51:21","slug":"sap-zero-day-vulnerability-under-widespread-active-exploitation","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/04\/25\/sap-zero-day-vulnerability-under-widespread-active-exploitation\/","title":{"rendered":"SAP zero-day vulnerability under widespread active exploitation"},"content":{"rendered":"