SAP Zero – Frostbite: How Russian RaaS Actor Qilin Exploited CVE-2025-31324 Weeks Before its Public Disclosure
Essential information
- Published
- 20/05/2025 18:01
- Modified
- 21/05/2025 21:50
- Tags
- 2025-05-20 cobalt strike qilin ransomware ransomware-as-a-service (raas) sap netweaver
- Related entities
- 5 observables, 5 techniques (mitre)
Description
CVE-2025-31324 hit the security world like a tsunami – an easily exploitable SAP vulnerability affecting enterprise environments across the globe. But while most assumed its exploitation began post-disclosure, new evidence suggests otherwise.
During an incident response led by OP Innovate for a major global enterprise, we uncovered proof that this vulnerability was actively exploited nearly three weeks before it was made public. While recent articles point the finger towards China-Linked APTs, we identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin, a notorious Russian-speaking Ransomware-as-a-Service group.