Critical SAP NetWeaver Zero-Day Exploited in Active Attacks
A newly discovered zero-day vulnerability in SAP NetWeaver, tracked as CVE-2025-31324 with a maximum CVSS score of 10.0, is under active exploitation, potentially putting thousands of exposed applications at risk.
The flaw exists in the Visual Composer Metadata Uploader component of SAP NetWeaver, which lacks proper authorization checks. This allows unauthenticated attackers to upload and execute malicious files on vulnerable systems—potentially leading to complete compromise.
SAP released a patch for the flaw during its April 2025 Security Patch Day. However, security researchers from ReliaQuest identified the vulnerability during investigations into several attack cases—some affecting fully patched systems—suggesting that exploitation may have begun before the patch was made public.
ReliaQuest’s report, published on April 22, 2025, initially suspected a remote file inclusion issue but later confirmed it to be an unrestricted file upload vulnerability. Attackers exploited this by sending crafted POST requests to the /developmentserver/metadatauploader endpoint, allowing them to upload malicious JSP webshells to a specific directory (/servletjsp/irj/root/). These files were then executed via GET requests, granting attackers remote access and control over the system.
All observed webshells shared common naming conventions like helper.jsp or cache.jsp and used code sourced from public GitHub repositories, including known remote code execution (RCE) projects. In some cases, attackers used advanced tools like Brute Ratel and Heaven’s Gate to evade detection and establish long-term control—indicating a highly sophisticated threat actor.
The delay between initial access and further exploitation suggests the involvement of an initial access broker—cybercriminals who compromise systems and sell access to others via VPN, RDP, or vulnerabilities on underground forums.
While the attacks bear similarities to past exploitation of CVE-2017-9844, the current campaign appears to leverage a previously unreported Remote File Inclusion (RFI) flaw. This zero-day has been observed targeting even the most up-to-date versions of SAP NetWeaver.
ReliaQuest reported the issue to SAP, which responded with a security update. The firm also deployed detection measures to protect clients and urges all organizations using SAP NetWeaver to immediately apply the latest patches and monitor their systems for signs of compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
