Listen to this Post

Emergency Update Issued After Active Exploitation of CVE-2025-31324 in Visual Composer Framework
In a significant security development, SAP has issued an emergency out-of-band update to patch a critical zero-day vulnerability that poses a severe threat to enterprises using the SAP NetWeaver platform. The flaw, officially tracked as CVE-2025-31324, carries the highest possible CVSS severity score of 10.0 and is being actively exploited in the wild.
The vulnerability lies in SAP NetWeaver Visual Composer, particularly in the Metadata Uploader component. It allows unauthenticated attackers to upload arbitrary files—without needing credentials—directly into the system. Once uploaded, these files can be executed remotely, providing attackers with full control over affected systems.
This vulnerability has drawn immediate attention due to real-world attacks observed by cybersecurity firms such as ReliaQuest and watchTowr. ReliaQuest was the first to identify the exploitation occurring through the /developmentserver/metadatauploader endpoint, with multiple organizations already compromised. Attackers reportedly deployed JSP webshells into publicly accessible directories, which enabled full remote code execution through mere browser-based GET requests.
Beyond the initial intrusion, the threat actors used advanced post-exploitation techniques, including Brute Ratel, the Heaven’s Gate evasion method, and MSBuild-based DLL injection, significantly increasing the complexity and stealth of the attacks.
SAP has responded by issuing emergency patches and recommending immediate action, especially since the flaw was not addressed in the standard April 2025 Patch Tuesday release. Alarmingly, even fully patched systems were compromised, confirming the use of a true zero-day exploit.
The emergency update not only addresses CVE-2025-31324 but also fixes two additional critical code injection vulnerabilities:
– CVE-2025-27429 in SAP S/4HANA
– CVE-2025-31330 in SAP Landscape Transformation
For organizations unable to patch immediately, SAP and security experts have issued specific mitigations, including restricting access to the vulnerable endpoint, disabling Visual Composer if unused, and conducting comprehensive scans for malicious uploads.
What Undercode Say:
The exploitation of CVE-2025-31324 marks one of the most severe SAP security incidents in recent memory, underscoring the critical need for proactive patch management and threat monitoring in enterprise environments.
What makes this flaw especially dangerous is the lack of authentication needed for exploitation. In most enterprise systems, privilege escalation or authentication bypass is a key hurdle for attackers. This flaw removes that entirely, allowing anyone with access to the vulnerable endpoint to gain immediate control of the system.
The attackers’ use of JSP webshells signals a return to old-school exploitation techniques—simple, effective, and dangerously underestimated. Once these webshells are in place, the attacker gains command-line access to the server via the web, opening doors to file manipulation, privilege escalation, and lateral movement across the corporate network.
Even more concerning is the observed use of Brute Ratel, a post-exploitation tool that mimics legitimate software behavior to evade detection. Paired with Heaven’s Gate, a technique that allows 64-bit code to run in a 32-bit environment, and MSBuild DLL injection, the attackers have demonstrated a high level of sophistication, likely indicating state-sponsored or financially motivated APT groups behind the campaigns.
Despite SAP’s rapid response, the danger remains high. The initial release of the April updates without a patch for this zero-day left many systems exposed. Given the widespread use of SAP NetWeaver in critical business applications, the potential impact ranges from operational disruption to large-scale data breaches and compliance violations.
Mitigations are essential, especially for organizations that cannot update immediately. Restricting endpoint access and disabling Visual Composer are good first steps, but these only limit the risk—they don’t eliminate it. Deep scanning of server directories and log analysis is crucial to detect past compromise.
From a strategic point of view, this incident highlights the value of threat intelligence feeds, real-time vulnerability management, and continuous SIEM monitoring. Enterprises need to treat software platforms like SAP as live components within the security ecosystem—not just business infrastructure.
In a time when zero-days are becoming increasingly common in enterprise software stacks, SAP customers must now assume that unpatched does mean vulnerable, and potentially compromised.
Fact Checker Results:
- The vulnerability CVE-2025-31324 is confirmed active and is being exploited in real-world attacks.
- Multiple sources, including ReliaQuest and watchTowr, verify the zero-day nature and unauthenticated remote code execution risk.
- SAP has issued emergency patches outside its regular update cycle to address the issue.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




