SAP customers faced a critical attack. A zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver’s Visual Composer allowed attackers to exploit a missing authentication and authorization check in the UDDI service. Attackers could upload malicious files via unauthenticated HTTP POST requests with no login needed. This flaw gave threat actors immediate, full control over business-critical ERP systems.
What Happened
- Discovery and disclosure: ReliaQuest discovered and reported the vulnerability on April 22, 2025. SAP officially released emergency patch Note 3594142 on April 24, 2025.
- Attackers gained remote access: By abusing the flaw in the Visual Composer component, they uploaded malicious files (webshells) like helper.jsp, cache.jsp and randomly named JSP files directly to the server.
- Full system control: With these files, attackers could run any command, install malware, steal sensitive data, or move to other systems inside the network.
- Business disruption: They could corrupt, update or delete data, shut down SAP applications, or deploy ransomware, seriously impacting business operations.
- Evidence erased: With admin-level access, attackers could delete logs and cover their tracks, making detection and investigation much harder.
Why It Matters
This wasn’t just a phishing scam or endpoint breach.
Attackers compromised the core of business operations—ERP systems—where financials, procurement, and sensitive supply chain data live. Even fully updated SAP environments were vulnerable, highlighting the zero-day nature of the attack.
If left unaddressed, the risks are massive:
- Financial Theft: Vendor payments hijacked and diverted to fraudulent accounts
- Operational Downtime: Procurement, payroll, and supply chains paralyzed
- Data Breach: Loss of contracts, pricing, personal, and payment data
- Regulatory Trouble: SOX, GDPR, and SEC violations with steep penalties
- Vendor and Supply Chain Damage: Payment disruption and trust breakdowns
- Brand and Reputation Hit: Public trust and investor confidence shattered
ERP systems are now a prime target for financially motivated attackers. Traditional perimeter defenses aren’t enough.
Immediate Actions SAP Customers Should Take
- Apply SAP emergency Patch Note 3594142 immediately
- Scan /irj/root, /irj/work, and /irj/work/sync directories for suspicious files
- Elevate SAP systems in incident response planning and monitoring
But patching alone isn’t defense-in-depth.
How Trustmi Provides True Defense-in-Depth—Even When SAP (or Any ERP) Is Breached
Patching protects the system’s perimeter.
Trustmi protects your people and money—even when attackers get inside.
Our platform acts as a critical compensating control, detecting, disrupting, and blocking fraud after a system compromise:
- Behavioral Anomaly Detection: Trustmi continuously monitors SAP, finance apps, and email systems for subtle deviations from normal behavior. Example: Vendor updates normally made manually suddenly occur via API automation—Trustmi flags and investigates in real time.
- Cross-System Data Correlation: Trustmi connects activity across email, ERP, procurement, and vendor onboarding to detect complex, multi-channel attacks that siloed tools miss.
- Real-Time Vendor and Payment Validation: Even if attackers manipulate internal records, Trustmi independently verifies vendors and payment instructions—catching fraud before money moves.
- Application and Third-Party Compromise Detection: Trustmi profiles both users and applications. If SAP or other apps start issuing unauthorized payments or vendor changes, Trustmi detects and flags abnormal behavior immediately.
- Zero-Day Resilience: Our Behavioral AI adapts to detect emerging threats—providing real zero-day protection beyond static rules or known signatures.
- Contextual Alerts for Faster Action: Trustmi alerts provide business context—what was compromised, what financial risk is unfolding (e.g., a suspicious $2.5M vendor payment), and how it deviates from normal behavior—so teams can act fast before losses occur.
Bottom Line
You can’t always prevent zero-day breaches.
But with Trustmi, you can stop them from turning into financial losses, fraud, or operational collapse.
Even if attackers gain full ERP access, Trustmi’s Behavioral AI security acts as the last line of defense—detecting and blocking financial threats before the money moves.
To learn more about socially engineered financial fraud
- ERP attacks leading to financial fraud: https://trustmi.ai/resource/erp-system-attacks-from-intrusion-to-fraud-and-how-to-avoid-it/
- Request a demo of Trustmi’s Behavioral AI security solutions here: https://trustmi.ai/request-a-demo/
