Listen to this Post
The recent discovery of a critical vulnerability in
the Exploit
SAP NetWeaver Visual Composer, a tool used for web-based software modeling, has been the subject of active exploitation following the discovery of a severe vulnerability identified as CVE-2025-31324. This flaw, which holds a maximum CVSS score of 10, affects all versions of SAP NetWeaver 7.xx. The vulnerability allows unauthenticated attackers to upload arbitrary files to systems exposed to the internet, enabling them to execute malicious actions.
Reports indicate that SAP released an emergency patch for this vulnerability on April 25, 2025, following an urgent report from ReliaQuest. Despite the patch, attackers had already been exploiting the flaw for weeks, with some instances of exploitation dating back to March 27, 2025. A significant portion of the affected systems are located in the United States, with India and Australia also reporting a high number of vulnerable instances.
The vulnerability resides within the Metadata Uploader component of the NetWeaver Java stack, which is not installed by default but is enabled in many systems. Exploiting this flaw allows attackers to upload malicious JSP Web shells, enabling them to run arbitrary commands on vulnerable systems. Once inside, attackers have used various techniques to maintain persistence, evade detection, and establish command-and-control channels.
The primary targets of these attacks have been manufacturing companies, though other sectors are also at high risk. Cybercriminals can use this access to deploy ransomware, corrupt data, manipulate financial records, and even disrupt business operations.
What Undercode Say:
SAPās failure to patch the vulnerability before it was actively exploited demonstrates a worrying gap in proactive cybersecurity measures, especially for widely-used enterprise tools. While SAP NetWeaver is a powerful system used by major corporations globally, including 99 of the Fortune 100 companies, its exposure to attacks like CVE-2025-31324 underscores the importance of securing enterprise resource planning (ERP) systems. In this case, cybercriminals took advantage of a flaw in an optional component of NetWeaver, the Visual Composer, which is enabled in a significant portion of the affected systems, allowing for easier exploitation.
Once the vulnerability was discovered, attackers quickly started utilizing it to drop malicious Web shells and gain full control over the affected systems. The use of JSP Web shells is concerning, as it gives attackers the ability to execute arbitrary commands on compromised systems, opening the door to a wide range of malicious activities. The fact that attackers started exploiting the vulnerability weeks before SAP issued a patch highlights the ongoing risk of zero-day vulnerabilities, which often leave organizations exposed to attacks.
Additionally, the tactics, techniques, and procedures (TTPs) used by attackers once inside the system are indicative of highly advanced threat actors. These attackers have demonstrated an ability to use custom payloads, escalate privileges, and evade detection using techniques such as Heavenās Gate, a memory manipulation technique designed to bypass security monitoring tools. Such behavior suggests that these attacks are not opportunistic, but part of a coordinated effort by skilled threat actors targeting vulnerable SAP systems.
This case highlights several critical lessons for organizations relying on SAP systems for their business operations. First, maintaining up-to-date software is crucial to mitigating the risks posed by unpatched vulnerabilities. In the case of CVE-2025-31324, SAP’s delay in releasing a patch left organizations vulnerable to ongoing attacks. Companies must prioritize timely patch management, especially when dealing with software as critical as SAP NetWeaver. Second, organizations should consider disabling unnecessary components of their systems, such as the Visual Composer, to minimize their attack surface. Lastly, the potential for these attacks to spread across interconnected SAP systems underlines the need for robust network segmentation and monitoring to prevent lateral movement by attackers.
The fact that manufacturing companies have been the primary targets of these attacks points to the growing trend of industrial targets being a key focus for cybercriminals. With sensitive data and critical infrastructure at stake, these organizations are particularly vulnerable to cyberattacks that could disrupt production, compromise financial data, and even cripple entire business operations. This growing trend should serve as a wake-up call for all industries to reassess their cybersecurity posture and reinforce their defenses against similar vulnerabilities in other enterprise applications.
Fact Checker Results
- CVE-2025-31324 is a critical vulnerability in SAP NetWeaver Visual Composer, with attackers actively exploiting it to gain unauthorized access to systems.
- The flaw allows attackers to upload malicious files and execute arbitrary commands on affected systems, potentially leading to ransomware deployment and data corruption.
- SAP released a patch for the vulnerability on April 25, 2025, but exploitation had been occurring for several weeks prior to the fix.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
