Critical SAP NetWeaver Vulnerability Under Active Exploitation: What You Need to Know

Listen to this Post

Featured Image
Emergency security update issued to fix CVE-2025-31324 — a zero-day flaw enabling full remote server hijack

In a high-stakes alert to businesses around the world, SAP has rushed out an emergency update to address a critical security flaw in its NetWeaver Visual Composer platform. Tracked as CVE-2025-31324 and scoring a maximum 10.0 on the CVSS scale, this zero-day vulnerability allows unauthenticated attackers to upload and execute malicious code remotely — effectively giving them full control over vulnerable systems.

The flaw resides in the Metadata Uploader component of SAP NetWeaver Visual Composer. What makes this threat particularly severe is that attackers don’t need any credentials to exploit it. They can simply upload malicious webshells, gain persistent backdoor access, and execute arbitrary commands through a browser interface. With multiple companies already impacted, this vulnerability is being actively weaponized by threat actors in the wild.

Security researchers from ReliaQuest and watchTowr confirmed that exploitation has already begun. Organizations using SAP NetWeaver must act fast — regular April patches do not address this issue. Without the emergency update, systems remain vulnerable to complete compromise.

Key Developments on CVE-2025-31324

  • Emergency Update Released: SAP has issued an out-of-band patch to fix the critical vulnerability CVE-2025-31324 in NetWeaver Visual Composer.
  • Zero-Day Under Active Attack: The flaw is already being exploited in real-world attacks, with no prior authentication required.
  • Unauthenticated File Upload Vulnerability: Attackers are exploiting the /developmentserver/metadatauploader endpoint to upload malicious JSP files.
  • Remote Code Execution (RCE): These files allow attackers to execute shell commands, upload/download files, and perform full system control — all via simple browser requests.
  • Tools & Techniques Used: Post-exploitation activities involve tools like Brute Ratel, Heaven’s Gate evasion, and MSBuild-compiled code injection into dllhost.exe.
  • No Official SAP Statement Yet: SAP has not yet responded to direct inquiries from reporters about ongoing exploitation.
  • Who Is Affected: The vulnerability impacts Visual Composer Framework 7.50 — even systems that received the regular April 8, 2025 patch remain vulnerable.
  • Other Critical Fixes Included: The emergency patch also addresses CVE-2025-27429 and CVE-2025-31330 — both are code injection flaws in SAP S/4HANA and SAP Landscape Transformation.

– Mitigation Steps for Unpatched Systems:

– Restrict access to the vulnerable endpoint.

– Disable Visual Composer if

– Send logs to SIEM systems for monitoring.

– Conduct scans to locate unauthorized files.

  • Security Industry Response: Both ReliaQuest and watchTowr are observing widespread exploitation and stress the urgency of applying the patch or mitigations immediately.
  • Wider Threat Landscape: As exploitation continues, security experts warn of increased activity from various threat actors leveraging this zero-day for lateral movement, persistence, and data theft.

What Undercode Say:

The emergence of CVE-2025-31324 as an active zero-day attack vector marks a turning point in how security flaws in enterprise software are weaponized. The fact that attackers are leveraging a built-in component of SAP NetWeaver Visual Composer — without authentication — is a testament to the deep-rooted challenges in securing legacy platforms that are still in active use across industries.

The real concern here isn’t just the existence of the vulnerability, but how rapidly it’s being exploited. This isn’t a hypothetical threat in a lab; it’s a live fire scenario. The upload of JSP webshells into public directories, the use of stealthy red teaming tools, and sophisticated code injection techniques reveal that these are not low-level actors. These are organized, skilled groups, possibly with access to insider knowledge or reverse engineering expertise.

Moreover, this vulnerability’s ability to bypass authentication mechanisms brings to light the dangerous consequences of insecure endpoint exposure. Any externally accessible SAP NetWeaver server becomes a potential breach point. Organizations relying on perimeter security without robust internal logging, segmentation, and threat detection are likely already compromised or will be soon.

SAP customers need to shift from a reactive to a proactive posture. This means more than just applying patches — it’s time to re-evaluate endpoint exposure, tighten network segmentation, and implement aggressive monitoring on all critical applications. Especially in ERP environments, where SAP is often the crown jewel, a breach can cascade into financial, operational, and reputational ruin.

The patch also included fixes for two other severe vulnerabilities, CVE-2025-27429 and CVE-2025-31330. These flaws allow code injection in key SAP modules like S/4HANA and Landscape Transformation. While these are not yet known to be exploited, they could soon be targeted in chained or follow-up attacks.

In real-world terms, this is the digital equivalent of discovering your front door is wide open, and someone has already stepped inside. Even if you slam it shut now, the focus must shift to identifying what they’ve accessed, whether they left traps behind, and how to prevent recurrence. Companies must initiate full forensic sweeps, remove unauthorized webshells, audit logs for strange behavior, and assume breach until proven otherwise.

This incident reinforces a growing trend — high-value enterprise software is increasingly under attack, and patch management alone is no longer enough. Threat actors are moving fast, and enterprises must move faster.

Fact Checker Results:

  • Confirmed: CVE-2025-31324 is under active exploitation and affects SAP NetWeaver Visual Composer 7.50.
  • Verified: Unauthenticated RCE is possible via file upload to the metadata uploader endpoint.
  • Recommended: Immediate patching is critical; if not possible, implement access controls and threat monitoring as interim measures.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram