SANS Stormcast Monday, April 27th: Image Steganography; SAP Netweaver Exploited (#)

SANS Stormcast Monday, April 27th: Image Steganography; SAP Netweaver Exploited Example of a Payload Delivered Through Steganography Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary. https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892 SAP Netweaver Exploited CVE-2025-31324 An arbitrary file upload vulnerability in SAP's Netweaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of Netweaver must turn off the developmentserver alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ Any.Run Reports False Positive Uploads Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run's free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded. https://x.com/anyrun_app/status/1915429758516560190 keywords: any.run; adobe; xdr; microsoft; sap; netweaver; steganography