SAP fixes suspected NetWeaver zero-day exploited in attacks

SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers.

The vulnerability, tracked under CVE-2025-31324 and rated critical (CVSS v3 score: 10.0), is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component.

It allows attackers to upload malicious executable files without logging in, potentially leading to remote code execution and full system compromise.

Though the vendor's bulletin isn't public, ReliaQuest reported earlier this week about an actively exploited vulnerability on SAP NetWeaver Visual Composer, specifically the '/developmentserver/metadatauploader' endpoint, which aligns with CVE-2025-31324.

ReliaQuest reported that multiple customers were compromised via unauthorized file uploads on SAP NetWeaver, with the attackers uploading JSP webshells to publicly accessible directories.

These uploads enabled remote code execution via simple GET requests to the JSP files, allowing command execution from the browser, file management actions (upload/download), and more.

In the post-exploitation phase, the attackers deployed the 'Brute Ratel' red team tool, the 'Heaven's Gate' security bypassing technique, and injected MSBuild-compiled code into dllhost.exe for stealth.

ReliaQuest noted in the report that exploitation did not require authentication and that the compromised systems were fully patched, indicating that they were targeted by a zero-day exploit.

Security firm watchTowr also confirmed to BleepingComputer they are seeing active exploitation linked to CVE-2025-31324.

"Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise," stated watchTowr CEO Benjamin Harris.

"watchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access."

"This active in-the-wild exploitation and widespread impact makes it incredibly likely that we'll soon see prolific exploitation by multiple parties."

Protect against attacks now

The vulnerability impacts the Visual Composer Framework 7.50, and the recommended action is to apply the latest patch.

This emergency security update was made available after SAP's regular 'April 2025' update, so if you applied that update earlier this month (released on April 8, 2025), you're still vulnerable to CVE-2025-31324.

Moreover, the emergency update includes fixes for two more critical vulnerabilities, namely CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Landscape Transformation).

Those unable to apply the updates that address CVE-2025-31324 are recommended to perform the following mitigations:

1. Restrict access to the /developmentserver/metadatauploader endpoint.
2. If Visual Composer is not in use, consider turning it off entirely.
3. Forward logs to SIEM and scan for unauthorized files in the servlet path.

ReliaQuest recommends performing a deep environment scan to locate and delete suspect files before applying the mitigations.

Update 4/25 - A SAP spokesperson disputed via a statement to BleepingComputer that CVE-2025-31324 was successfully exploited in actual attacks.

"SAP was made aware of a vulnerability in SAP NETWEAVER Visual Composer, which may have allowed unauthenticated and unauthorized code execution in certain Java Servlet," stated the SAP spokesperson.

"SAP is not aware that SAP customer data or systems were impacted by these vulnerabilities. A workaround was released on April 8, 2025, and a patch is currently available. Customers are recommended to apply the patch immediately."

Meanwhile, cybersecurity firm Onapsis published a report saying it also observed active exploitation.