SAP has launched out-of-band emergency NetWeaver updates to repair a suspected distant code execution (RCE) zero-day flaw actively exploited to hijack servers.
The vulnerability, tracked below CVE-2025-31324 and rated crucial (CVSS v3 rating: 10.0), is an unauthenticated file add vulnerability in SAP NetWeaver Visible Composer, particularly the Metadata Uploader part.
It permits attackers to add malicious executable recordsdata with no need to log in, probably resulting in distant code execution and full system compromise.
Although the vendor’s bulletin is not public, ReliaQuest reported earlier this week about an actively exploited vulnerability on SAP NetWeaver Visible Composer, particularly the ‘/developmentserver/metadatauploader’ endpoint, which aligns with CVE-2025-31324.
Bindiast reported that a number of clients have been compromised by way of unauthorized file uploads on SAP NetWeaver, with the attackers importing JSP webshells to publicly accessible directories.
These uploads enabled distant code execution by way of easy GET requests to the JSP recordsdata, permitting command execution from the browser, file administration actions (add/obtain), and extra.
Within the post-exploitation section, the attackers deployed the ‘Brute Ratel’ crimson crew instrument, the ‘Heaven’s Gate’ safety bypassing method, and injected MSBuild-compiled code into dllhost.exe for stealth.
ReliaQuest famous within the report that exploitation didn’t require authentication and that the compromised methods have been absolutely patched, indicating that they have been focused by a zero-day exploit.
Safety agency watchTowr additionally confirmed to BleepingComputer they’re seeing energetic exploitation linked to CVE-2025-31324.
“Unauthenticated attackers can abuse built-in performance to add arbitrary recordsdata to an SAP NetWeaver occasion, which implies full Distant Code Execution and whole system compromise,” acknowledged watchTowr CEO Benjamin Harris.
“watchTowr is seeing energetic exploitation by menace actors, who’re utilizing this vulnerability to drop internet shell backdoors onto uncovered methods and achieve additional entry.”
“This energetic in-the-wild exploitation and widespread influence makes it extremely possible that we’ll quickly see prolific exploitation by a number of events.”
BleepingComputer contacted SAP with questions in regards to the energetic exploitation however has not obtained a response presently.
Shield towards assaults now
The vulnerability impacts the Visible Composer Framework 7.50 and the beneficial motion is to use the most recent patch.
This emergency safety replace was made obtainable after SAP’s common ‘April 2025’ replaceso in the event you utilized that replace earlier this month (launched on April 8, 2025), you are still susceptible to CVE-2025-31324.
Furthermore, the emergency replace consists of fixes for 2 extra crucial vulnerabilities, specifically CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Panorama Transformation).
These unable to use the updates that handle CVE-2025-31324 are beneficial to carry out the next mitigations:
Prohibit entry to the /developmentserver/metadatauploader endpoint.
If Visible Composer is just not in use, take into account turning it off fully.
Ahead logs to SIEM and scan for unauthorized recordsdata within the servlet path.
ReliaQuest recommends performing a deep atmosphere scan to find and delete suspect recordsdata earlier than making use of the mitigations.
Replace 4/25 – A SAP spokesperson disputed by way of a press release to BleepingComputer that CVE-2025-31324 was efficiently exploited in precise assaults.
“SAP was made conscious of a vulnerability in SAP NETWEAVER Visible Composer, which can have allowed unauthenticated and unauthorized code execution in sure Java Servlet,” acknowledged the SAP spokesperson.
“SAP is just not conscious that SAP buyer knowledge or methods have been impacted by these vulnerabilities. A workaround was launched on April 8, 2025, and a patch is at the moment obtainable. Prospects are beneficial to use the patch instantly.”
In the meantime, cybersecurity agency Onapsis, printed a report saying it additionally noticed energetic exploitation.
