A critical zero-day vulnerability in SAP NetWeaver, tracked as CVE-2025-31324 with a CVSS score of 10/10, is being actively exploited, potentially granting attackers full control over SAP’s critical business processes and information.
- Key Impact: Successful exploitation of this vulnerability allows attackers to perform espionage, sabotage, and fraud.
- Vulnerability Details: The vulnerability lies in the Visual Composer Metadata Uploader component of SAP NetWeaver, stemming from a lack of proper authorization. This allows unauthenticated agents to upload malicious executable binaries.
- Affected Systems: Customers using the vulnerable component across Cloud/RISE with SAP environments, cloud-native, and on-premise deployment models are affected.
- Exploitation Method: ReliaQuest discovered that attackers are abusing the Metadata Uploader to upload malicious JSP webshell files and execute them, gaining full control of the vulnerable endpoint.
This vulnerability poses a severe threat to organizations using SAP NetWeaver, potentially leading to significant operational and financial damage.
Key Developments and Additional Insights:
- Active Exploitation Confirmed: Multiple sources, including ReliaQuest and watchTowr, have confirmed active exploitation of this zero-day vulnerability in the wild. Attackers are using it to upload malicious JSP webshells, enabling remote code execution and system compromise.
- Initial Access Broker Suspected: Researchers at watchTowr have a high degree of confidence that an initial access broker is behind the attacks. These brokers typically gain initial access to systems and then sell that access to ransomware groups or other malicious actors.
- Widespread Impact: The vulnerable component, SAP Visual Composer, while not installed by default, is believed to be enabled in a significant number of SAP Java systems. Onapsis estimates that potentially over 10,000 internet-facing SAP applications could be at risk, with a high percentage of those having the vulnerable component active.
- SAP’s Response: SAP has released an emergency patch to address CVE-2025-31324 (SAP Security Note 3594142). This patch was released out-of-band, meaning it came after the regular April 2025 Security Patch Day. SAP also provided a workaround in SAP Note 3593336 for organizations that cannot immediately apply the patch.
- Conflicting Statements: While security firms report active exploitation, SAP initially stated they were not aware of any customer data or systems being impacted. However, they strongly advise customers to apply the patch immediately.
- Technical Details: The vulnerability lies in the /developmentserver/metadatauploader endpoint of SAP NetWeaver Visual Composer. It lacks proper authorization checks, allowing unauthenticated attackers to upload arbitrary files, including executable code.
- Observed Attack Techniques: ReliaQuest has observed attackers using tools like Brute Ratel (a command-and-control framework) and the Heaven’s Gate technique (for endpoint protection bypass) after gaining initial access via the webshells.
- Recommendations: The immediate recommendation is to apply the emergency patch from SAP. If patching is not immediately feasible, the provided workaround should be implemented. Organizations should also scan their SAP environments for any suspicious files, particularly JSP files, and monitor for unauthorized access attempts to the vulnerable endpoint.
SAP recommended to apply immediately patch to all users in security note.
In summary, the situation is critical. A high-severity zero-day vulnerability in SAP NetWeaver is being actively exploited, potentially by initial access brokers. Given the widespread use of SAP in critical infrastructure and enterprises, immediate action to patch or mitigate this vulnerability is crucial.
