Critical SAP NetWeaver vulnerability under active exploitation

SAP is warning and has released emergency patches to address a critical vulnerability in SAP NetWeaver Visual Composer that is being actively exploited in the wild. 

The flaw is tracked as CVE-2025-31324 (CVSS score 10), allows unauthenticated attackers to upload malicious files to SAP servers, potentially leading to complete system compromise through remote code execution. The vulnerability affects the Metadata Uploader component in SAP NetWeaver Visual Composer via the /developmentserver/metadatauploader endpoint. It allows attackers to:

• Upload arbitrary executable files without authentication
• Deploy JSP webshells in publicly accessible directories
• Execute commands via simple GET requests to the uploaded JSP files
• Gain full remote code execution capabilities and total system compromise

Security researchers from ReliaQuest initially discovered the vulnerability while investigating multiple customer breaches. They observed that even fully patched SAP systems were being compromised, indicating a zero-day exploit.

Multiple security firms have confirmed active exploitation:

• ReliaQuest reported that several customers were compromised through unauthorized file uploads
• watchTowr confirmed active exploitation by threat actors dropping webshell backdoors
• Onapsis also observed exploitation attempts through their threat intelligence sensors

In post-exploitation activities, attackers have been observed deploying the 'Brute Ratel' red team tool for further compromise, injecting MSBuild-compiled code into dllhost.exe for stealth operations and utilizing the 'Heaven's Gate' security bypassing technique. Heaven's Gate is a security bypassing technique that allows 32-bit malware to execute 64-bit code by jumping outside the compatibility environment for running 32-bit programs on Windows systems. This technique is used to evade antivirus detection.

Onapsis estimates approximately 10,000 SAP instances are potentially vulnerable and between 50-70% of internet-facing SAP NetWeaver Application Servers Java may have the vulnerable component available

Organizations using SAP NetWeaver should take immediate apply the emergency patch released by SAP (referenced in SAP Note 3594142)

If immediate patching is not possible, implement these mitigations:

• Restrict access to the /developmentserver/metadatauploader endpoint
• If Visual Composer is not in use, consider turning it off entirely
• Forward logs to SIEM systems and scan for unauthorized files in the servlet path

perform deep environment scanning to locate and remove any suspect files before applying mitigations

This emergency security update was made available after SAP's regular 'April 2025' patch cycle (released on April 8, 2025). Therefore, systems updated with only the regular April patches remain vulnerable to CVE-2025-31324.

The emergency update also addresses two other critical vulnerabilities:

• CVE-2025-27429: Code injection in SAP S/4HANA
• CVE-2025-31330: Code injection in SAP Landscape Transformation

SAP has disputed that the vulnerability was successfully exploited in actual attacks, stating they are "not aware that SAP customer data or systems were impacted." Multiple security firms continue to report active exploitation in the wild.

Update - as of 30th of April 2025, SAP has confirmed active exploitation of this flaw. Security researchers at Onapsis have released a scanner to check for the vulnerability and possible indicators of compromise. 

As of 8th of May, Forescout's Vedere Labs has linked more recent attacks (observed on April 29, 2025) to a Chinese threat actor they're tracking as "Chaya_004." The researchers identified several indicators pointing to Chinese origin, including:

• Attack infrastructure using anomalous self-signed certificates impersonating Cloudflare
• IP addresses belonging to Chinese cloud providers (Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom)
• Deployment of Chinese-language tools such as SuperShell, a web-based reverse shell developed by a Chinese-speaking developer

As of 14th of May ReliaQuest report that the RansomEXX and BianLian ransomware operations have also joined these attacks, although no ransomware payloads were successfully deployed.
"Continued analysis has uncovered evidence suggesting involvement from the Russian ransomware group 'BianLian' and the operators of the 'RansomEXX' ransomware family (tracked by Microsoft as 'Storm-2460')," the cybersecurity firm said. "These findings reveal widespread interest in exploiting this vulnerability across multiple threat groups."

As of 18th of August 2025, there is a publicly available exploit code for CVE-2025-31324 and hackers are actively using it to attack SAP NetWeaver. CISA added the flaw to its Known Exploited Vulnerabilities catalog. The vulnerability CVE-2025-42999 being chained in attacks against unpatched systems.