Today’s Topics:
- WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors
- Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw
- How can Netizen help?
WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors
Cybersecurity researchers have uncovered a widespread phishing campaign targeting WooCommerce users, using fake security alerts to trick site administrators into installing malware. Instead of delivering a legitimate patch, the attackers deploy a backdoor plugin that grants them complete control over compromised WordPress websites.
The campaign, identified by WordPress security company Patchstack, closely resembles an attack from December 2023 where threat actors used a fake CVE vulnerability to lure victims. Researchers believe the new wave is either the work of the same group or a highly skilled copycat mimicking the earlier tactics.
According to security researcher Chazz Wolcott, the phishing emails claim the targeted WooCommerce sites are vulnerable to a fictitious “Unauthenticated Administrative Access” flaw. Victims are urged to click a link that directs them to a phishing website designed to closely resemble the legitimate WooCommerce Marketplace page. The attackers rely on an IDN homograph trick—substituting the letter “e” with a visually similar special character “ė”—to disguise their domain as “woocommėrce[.]com.”
Once on the fake page, victims are prompted to download a ZIP file named “authbypass-update-31297-id.zip,” which they are instructed to install like a standard WordPress plugin. However, installing this plugin triggers several malicious activities:
- A new administrator account is silently created with a hidden username and randomized password.
- A cron job is scheduled to run every minute, ensuring persistence.
- Details about the new admin account and the compromised website are sent to a remote server at “woocommerce-services[.]com/wpapi.”
- A second-stage payload is downloaded from domains such as “woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate.”
- After decoding the payload, multiple web shells like P.A.S.-Fork, p0wny, and WSO are deployed to the server.
- The rogue plugin hides itself from the WordPress plugin list, and the attacker-created admin account is also concealed from view.
The end goal is full remote access to the infected websites. Attackers can inject spam, display malicious advertisements, redirect visitors to fraudulent sites, conscript the servers into botnets for distributed denial-of-service (DDoS) attacks, or even encrypt server files in ransomware-style extortion schemes.
Website administrators are urged to immediately scan their WordPress instances for unknown plugins or suspicious administrator accounts. It’s also critical to ensure that WooCommerce and WordPress installations, along with all plugins and themes, are kept fully updated to mitigate the risk of such attacks.
Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw
More than 1,200 SAP NetWeaver instances exposed to the internet are vulnerable to an actively exploited, maximum-severity file upload flaw that enables remote attackers to hijack servers without authentication.
SAP NetWeaver serves as an application server and development platform connecting SAP and non-SAP applications across multiple technologies. It plays a critical role in large enterprises worldwide.
Last week, SAP disclosed CVE-2025-31324, a high-severity unauthenticated file upload vulnerability in the NetWeaver Visual Composer’s Metadata Uploader component. The flaw allows attackers to upload arbitrary executable files on vulnerable servers, leading to remote code execution and full system compromise.
Multiple cybersecurity firms, including ReliaQuest, watchTowr, and Onapsis, have confirmed that CVE-2025-31324 is already being exploited in the wild. Threat actors are reportedly deploying web shells to maintain persistent access to affected servers.
SAP responded by releasing a temporary workaround on April 8, 2025, and a full security patch on April 25. A spokesperson for SAP told BleepingComputer they are aware of exploitation attempts but have not seen evidence of customer data breaches or impacted systems so far.
Recent scans have revealed a significant number of vulnerable systems online. The Shadowserver Foundation identified 427 exposed SAP NetWeaver servers globally, warning about the vast attack surface.
The top affected countries include:
- United States: 149 servers
- India: 50 servers
- Australia: 37 servers
- China: 31 servers
- Germany: 30 servers
- Netherlands: 13 servers
- Brazil: 10 servers
- France: 10 servers
However, the situation appears even more serious based on data from cyber defense platform Onyphe, which reported 1,284 vulnerable servers online — with 474 already compromised by web shells.
“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are already compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.
Attackers are primarily dropping web shells named “cache.jsp” and “helper.jsp,” although researchers from Nextron Research noted that random filenames are also being used to evade detection.
While the total number of affected servers may not seem massive, the presence of vulnerable SAP NetWeaver systems in large enterprises and multinational corporations poses a severe security risk.
SAP customers are strongly urged to apply the latest security update following the vendor’s advisory. If immediate patching is not possible, organizations should take the following mitigation actions:
- Restrict access to the
/developmentserver/metadatauploaderendpoint. - Disable the Visual Composer component if not in use.
- Forward server logs to a SIEM and scan for unauthorized files in the servlet path.
Additionally, RedRays has released a scanner tool specifically for CVE-2025-31324, helping administrators identify vulnerable systems across large environments.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
