A critical vulnerability in SAP’s Netweaver Visual Composer tool is being actively exploited by attackers in the wild, raising alarm across industries that rely on the enterprise software platform.

The vulnerability, tracked as CVE-2025-31324, carries the maximum CVSS severity score of 10 and affects all SAP NetWeaver 7.xx versions. The vulnerability allows unauthenticated, remote attackers to upload arbitrary files to vulnerable, Internet-exposed systems without restrictions—effectively compromising the system.

SAP issued an emergency patch in April 2025, three days after cybersecurity firm ReliaQuest reported signs of exploitation. Initially thought to be a new file inclusion flaw or a recurrence of CVE-2017-9844, SAP later identified the root cause as a failure in authentication and authorization checks within the Metadata Uploader component of NetWeaver Visual Composer.

Impact of CVE-2025-31324

According to the Shadowserver Foundation, as of April 27, at least 454 SAP NetWeaver instances are exposed to the Internet and vulnerable to attack. Of these, 149 are in the U.S., followed by India (50) and Australia (37).

NetWeaver instances vulnerable to CVE-2025-31324(Source: Shadowserver foundation)

SAP software is used by thousands of global organizations, including 99 of the Fortune 100, to manage sensitive business processes across finance, logistics, HR, and customer relationships. A breach in systems running vulnerable NetWeaver components could lead to catastrophic outcomes in industries where uptime and data integrity are essential.

How CVE-2025-31324 is Exploited

Rapid7 reported that attackers are exploiting the flaw by sending custom POST requests to the vulnerable endpoint (/developmentserver/metadatauploader) to drop JSP web shells to execute arbitrary commands. The attack campaign appears to have started as early as March 27, nearly a month before SAP issued its patch.

ReliaQuest noted that threat actors are using Brute Ratel penetration testing framework for command-and-control (C2) operations, custom payloads, privilege escalation, and Heaven’s Gate, a sophisticated memory manipulation method used to evade endpoint detection and response (EDR) tools.

The Metadata Uploader component, though not installed by default, is frequently enabled in SAP Java environments. Security firm Onapsis estimates that it is present in 50% to 70% of SAP Java systems, as many organizations enable it to allow business users to build applications without writing code.

Successful exploitation gives attackers admin-level access to SAP resources, including databases and application controls. This level of access could be leveraged to deploy ransomware, modify financial records, steal PII, or even destroy critical business logs and data.

Mitigation

Organizations using SAP NetWeaver are urged to

    • Apply SAP’s emergency patch immediately
    • Disable the Visual Composer component if patching isn’t possible
    • Limit network exposure of vulnerable endpoints

The Center for Internet Security (CIS) has classified the threat as high risk for large and medium-sized businesses and government agencies, and medium risk for smaller entities.