SAP NetWeaver Critical Unrestricted File Upload Flaw; Malicious Chargers Could Bypass Mobile USB Security; Power Outage in Portugal, Spain, and France; 20th Anniversary of ICS Summit

Attackers target SAP NetWeaver systems leveraging JSP webshells for unauthorized file uploads and execution. The patch from SAP was released on April 24th. With a CVSS score of 10.0, and an out-of-band patch (SAP releases patches on the second Tuesday of the month), avoid the meeting and apply the patch. Also, make sure Visual Composer is disabled, it was deprecated in 2015; confirm the application alias "developmentserver" is disabled and your development server access is restricted; then hunt for the IOCs provided by ReliaQuest.

Lee Neely

This SAP issue has spread like wildfire online. I haven t seen any stories of widespread exploitation, but this could be a similar issue to the one we saw with other edge systems like MoveIT. SAP is installed in some of the largest companies in the world, and as such, it can be a big target. This particular exploit is nasty as it is an unauthenticated file upload vulnerability. It has been weaponized easily as the building blocks are mostly there, with the only knowledge you need to understand being how to make a Java WebShell and recall it. No one has said publicly that they have been hit with this exploit as part of a larger intrusion, but we are still in the early days. The biggest challenge with this is that the patch is not part of the larger collection of monthly patches by SAP, which means administrators may not know that they are missing a critical patch. This one may have some legs.

Moses Frost

Back in 2016 SAP issued fixes for several missing authorization checks in their software. I think that flaw has been on the OWASP Top Ten even before that. SAP owes customers an explanation on how this type of defect remained in production software.

John Pescatore

It's a 10, if you're running the visual composer framework, patch now. Nothing more needs to be said.

Curtis Dukes

If you are an SAP customer, you know who you are, and this is a priority patch.

William Hugh Murray

The simplest mitigation is not to use/allow unknown USB connections. Which can be really tempting in a rental car, airplane or hotel. Back that up by making sure you're running the latest OS, e.g., Android 15 or iOS 18.4, to ensure you have current protections from attacks. USB data blockers are still a thing and reduce the risk by only allowing the power leads for under $10. Your mobile fleet, regardless of ownership, is a critical platform. Set enforceable minimum hardware, software and security standards.

Lee Neely

Seems like this one was simple for Apple and Google to fix, at least to add user prompting when a charging outlet pretends to be a peripheral. But it points out both did incomplete threat modeling on the original USB threat. I can t resist an old Saturday Night Live analogy: it is kinda like opening the door after you ask, Who s there? and the LandShark responds, Candygram.

John Pescatore

Battery life has improved to the point that we no longer spend our lives planning our next power fix. However, it remains good practice to always use one's own cable and power supply.

William Hugh Murray

Keep in mind that, under the best of circumstances, in order to balance load and source, restoration takes time. Also, grids are designed to shut down in an orderly non-destructive way. That they have already restored some service and have said that they would restore in hours, rather than days, is evidence that the shut-down was orderly. Orderly shutdowns are usually in response to multiple simultaneous component failures, beyond the ability of the grid to compensate, and/or a load imbalance. They are planned, normal, and inevitable. Incidentally, in the northeastern US, the mean time between such events has been about twenty years. The last one was in 2003. Restoration to the 90% service level took about 72 hours. While most enterprises can survive such a short term general outage, others should consider back-up generators and UPS systems.

William Hugh Murray

By the time you're reading this, the services are restored, albeit backlogs are still being cleared and travelers rescheduled. The outage was triggered when Spain lost 15GW of power in just five seconds. Portugal has called for an independent audit from the EU's Agency for the Cooperation of Energy Regulators to determine the root cause of the outage. It will be interesting to see what mitigations are possible, as it's likely safety/isolation systems were triggered by that 15GW dip.

Lee Neely

While this incident demonstrates the huge dependency our modern world has on a stable electricity supply it was disappointing to see the number of claims that a possible cause was a cyberattack without any data or evidence to support that speculation. As an industry we need to stop using FUD (Fear Uncertainty and Doubt) as a way to raise the importance of cybersecurity.

Brian Honan

It does bring up the question, what critical infrastructure would have the most impact on people? Many would say water. Water loss is dire to human existence, but attacks would be highly localized. My top two are power and financial. With financial, don t put all your eggs in digital currency; keep some Benjamins in the purse for barter. Power, especially with the dependency on a shared grid, can cause chaos for a prolonged time and can impact large numbers of people.

Curtis Dukes

Marks & Spencer have to be commended in their proactive way of keeping their customers and the public aware of the impact of this attack. Many organisations should use Marks & Spencer's public response to this breach as a template for how they should communicate should they become victims of a cyberattack. To help justify the effort in preparing for such an event reports are estimating the cost of this incident to M&S as being 678 ($908) million reinforcing the old saying that "a stitch in time saves nine." https://www.irishtimes.com/business/2025/04/28/ms-cyber-crisis-wipes-almost-800m-off-retailers-valuation/

Brian Honan

M&S has been keeping their site updated, under Press Releases. These updates are focused on customer impacts, so check before attempting online shopping. While they are working to minimize store operations impacts, they have about 1400+ stores, with over 1000 in the UK, it'd be a good idea to check online before heading to your local store.

Lee Neely

South African telecom continues to be a target; last year Cell C was compromised, as were many other critical infrastructure providers. If you're a critical infrastructure provider, make sure you are not only ready to repel boarders, but also to respond in the event of a breach, to include verifying who you're going to call for help. MTN will be notifying affected customers as the investigation continues. In the interim, they have published a status page with good advice for customers to secure their identity and accounts.

Lee Neely

This appears to be an attack against one of the largest telcos in the world, let alone on the African continent. This company makes a relatively large amount of revenue in Nigeria. A cyberattack on them could compromise a reasonably large number of individuals. For those in the US that may not be familiar with this, Telcos in this area also serve as banks, so this is both a telecom issue, like we have had potentially with T-Mobile and ATT in the US, and a FinTech issue something to watch for sure.

Moses Frost

The incident was discovered February 28, 2024, with review of compromised data (and filing/notifications) August 2024, and the process to gather necessary information to notify additional individuals just completed April 17th. The efforts to conduct a comprehensive analysis which identifies all affected individuals is commendable; yet, at this point, these individuals have had information compromised for almost 14 months, which is longer than the offered 12 months credit monitoring/ID protection offered. Sadly, I don't think we can shorten these timelines, so instead, we need to be proactive with our own credit monitoring/ID protection, to include our kids. Take a look at your current benefits/services, to include financial institutions, many include these services, often with nominal or no cost. Trust me, you'll feel better when that breach notification comes, with protections (and notifications) in place than without.

Lee Neely

A full year has passed since the data breach. At least six months has passed since HHS notification of the data breach. Finally, victims are being notified of loss of PII. Obligatory apology notice we take security seriously; it s a top priority working with law enforcement free credit monitoring services for 12 months. What s wrong with this picture?

Curtis Dukes

Your PII is already for sale on the dark web and from data brokers for dimes to dollars. For those concerned about this, consider service from Deleteme.com to scan the brokers and remove your PII. Note that you will have to give Deleteme a copy of the very information that you want them to delete. For the rest of us, lock your data on the three major credit bureaus and monitor all your accounts on a timely basis. Use strong authentication wherever it is offered. Prefer to do business with those enterprises that confirm all activity out of band.

William Hugh Murray

The actions allow the city to hang out the proverbial "out to lunch" sign while they recover from the incident. Something to consider when working on your incident response plan: what services should be suspended during system recovery? Consider services which could be added distractions or otherwise hamper recovery; then find out what steps, such as public notification, are needed and add them to your plan.

Lee Neely

Yay, here's a patch for your WooCommerce plugin, boo, it's a link to malware! Make sure that you're not only downloading updates from their official source, but also validating their signature; your automated updates do that, so use the WordPress UI to perform the update not the emailed link. Also, when being alerted about security issues/updates/scan results, verify they are legitimate, to include reporting of suspect messages.

Lee Neely

Scheuer accessed the third-party hosted menu creator application after he was fired, indicating a breakdown in their termination process. First, make sure that your account management processes extend to all your hosted/outsourced/etc. applications, not just your in-house or private cloud environments. Second, verify what your consequences would be for an incident by a dismissed employee, and verify you have supporting information, such as monitoring, alerting, centralized logs, and evidence protection, to support that investigation and process.

Lee Neely

The lesson here, besides crime doesn't pay, is that employee removal processes must be closely coordinated between HR, Legal, and IT staffs. The IT staff should lock out all account access, including third party software, ideally upon employee removal, and monitor those accounts for a period. Unfortunately, this is a lesson we get to learn far too often.

Curtis Dukes