A newly patched zero-day vulnerability in SAP NetWeaver Visual Composer is now under active exploitation, exposing hundreds of systems to critical security risks. Identified as CVE-2025-31324, the flaw has received a maximum CVSS score of 10, highlighting its severity and ease of exploitation.
This vulnerability affects all versions of SAP NetWeaver 7.xx and allows unauthenticated remote attackers to upload arbitrary files to exposed systems without restrictions.
SAP released an emergency patch on April 25, just days after ReliaQuest reported attacks targeting the flaw. Initially, researchers suspected older bugs such as CVE-2017-9844 or an unknown file inclusion issue. However, SAP’s internal investigation traced the vulnerability to improper authentication checks in Visual Composer’s Metadata Uploader component.
On April 27, The Shadowserver Foundation identified 454 Internet-exposed SAP NetWeaver instances vulnerable to this flaw. The U.S. had the highest number of exposed systems (149), followed by India (50) and Australia (37).
How the Exploitation of SAP Composer Works
The flaw lies in the /developmentserver/metadatauploader endpoint. Rapid7’s Caitlin Condon explained that attackers can send crafted POST requests to upload malicious files without any authentication.
Attackers are using this flaw to drop JSP Web shells, giving them the ability to run commands remotely. These attacks began as early as March 27, nearly a month before SAP issued a fix. According to Rapid7, manufacturing firms have been the primary targets so far.
Immediate Mitigation Steps for Organizations
Experts strongly urge organizations to patch affected systems immediately. For those unable to update quickly, Rapid7 recommends disabling Visual Composer and restricting access to the metadata uploader endpoint as a temporary safeguard.
Key remediation steps include:
- Apply the April 25 SAP security patch.
- Disable SAP Visual Composer if it’s not essential.
- Restrict Internet access to the
/metadatauploaderendpoint. - Monitor systems for signs of unauthorized file uploads or Web shells.
Threat groups exploiting CVE-2025-31324 are using advanced techniques for command-and-control (C2) and persistence. ReliaQuest observed:
- Use of the Brute Ratel penetration testing framework for payload deployment and C2.
- Use of Heaven’s Gate, a memory evasion technique to bypass endpoint detection tools.
- Customized payloads to gain elevated privileges and maintain access.
Widespread Use of SAP Visual Composer Increases Risk
Although Visual Composer is optional, it’s widely used. Onapsis reported that it is enabled on up to 70% of SAP NetWeaver Java systems. This component allows business users to create applications without writing code, making it a popular tool.
Unfortunately, the vulnerability allows attackers to gain full admin access to affected SAP environments. From there, they can:
- Deploy ransomware or other malware.
- Modify or corrupt financial and business data.
- View or steal personally identifiable information (PII).
- Delete logs to cover their tracks.
- Use compromised systems as entry points into larger SAP networks.
SAP systems are deeply integrated into business-critical operations. Over 99 of the Fortune 100 companies rely on SAP for ERP, CRM, and financial processing. A breach could lead to massive financial, reputational, and operational damage.
Onapsis warned that CVE-2025-31324 could enable attackers to conduct unauthorized business activity, such as:
- Tampering with financial records.
- Exfiltrating sensitive customer data.
- Disrupting essential services and supply chains.
High-Risk Targets and Broader Implications
While manufacturing firms are the current primary targets, other industries remain at high risk. The Center for Internet Security (CIS) flagged large and medium government entities and businesses as especially vulnerable. Even smaller organizations may face medium risk, especially if SAP systems are exposed to the Internet.
CVE-2025-31324 represents a critical and immediate threat to organizations using SAP NetWeaver. With attacks already in progress and the potential for total system compromise, rapid patching and access restrictions are essential.
Security teams must act now to prevent ransomware attacks, data breaches, and business disruptions. For long-term protection, organizations should also audit all exposed SAP components, apply least-privilege principles, and continuously monitor for unusual activity across SAP landscapes.
