Threat Spotlight: Zero-Days with a Twist: How and Why Enterprise Bugs Go Viral

This report analyzes how the SAP NetWeaver zero-day (CVE-2025-31324) became a polymorphic, widely weaponized RCE—enabling JSP web shells and remote command execution—and how its disclosure catalyzed cascading exploitation by diverse groups (including named cybercriminal actors and nation-state/ransomware actors). It highlights the underground market demand for enterprise RCEs (high monetary value) and rising LPE popularity, documents attacker techniques and tooling used to adapt the vulnerability, and recommends proactive detection, visibility, and layered defenses (including agentic AI, asset discovery, DRP, and detection rules) to reduce the rapid exploitation window.