Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324)

CVE-2025-31324, a critical vulnerability in the SAP NetWeaver platform, is being actively exploited by attackers to upload malicious webshells to enable unauthorized file uploads and code execution.

The vulnerability was initially leveraged in zero-day attacks spotted by ReliaQuest researchers, who reported them to SAP.

The software company confirmed that the attackers have been leveraging a new vulnerability; released an emergency patch on April 24; and urged organizations to upgrade to implement it and check whether their installations have been compromised.

About CVE-2025-31324

SAP NetWeaver is a platform that provides the foundation for many of SAP’s business applications. CVE-2025-31324 is present in the Visual Composer tool.

More specifically, CVE-2025-31324 stems from Visual Composer’s Metadata Uploader component not having proper authorization checks. This absence allows unauthenticated attackers to upload malicious files to the host system, and execute commands with administrative permissions.

“The vulnerability is exploitable through HTTP/HTTPS, potentially over the Internet. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted POST requests,” Onapsis researchers noted.

“With [admin] access, the attacker gains unauthorized access to the underlying SAP Operating System using the user and privileges of the processes running in the SAP Application Server, implying full access to any SAP resource, including the SAP system database without any restrictions, permitting them to take several actions (e.g., shut down the SAP application or deploy ransomware). Additionally, the system can be used as a foothold into a network for the attacker to pivot from this initial entry point and access other internal systems, taking advantage of the interconnected nature of SAP systems.”

CVE-2025-31324 affects SAP NetWeaver 7.xx versions.

About the attacks

ReliaQuest investegated the attacks after several of its customers were hit this month, and discovered that the attackers:

• Uploaded .jps webshells (e.g., helper.jsp or cache.jsp) into the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory
• Fired off a GET request to execute them
• Used the Brute Ratel tool and the Heaven’s Gate technique to establish command and control communication, effect post-exploitation actions, and avoid detection by endpoint security solutions.

“In one instance, we observed that it took several days for the attacker to move from initial access to performing follow-up actions. Based on this delay, we believe the attacker may be an initial access broker obtaining and selling access to other threat actors,” ReliaQuest researchers opined.

Patch, investigate, clean up

SAP solutions are usually deployed on-premises and are most often used by large enterprises and government agencies.

The Shadowserver Foundation says there are currently around 450 vulnerable SAP NetWeaver instances reachable via internet, located predominantly in the US, India, Australia, China and Europe.

Whether they have already been breached by attackers is for the security departments to find out.

Admins should immediately apply the patch provided by SAP, or restrict access to the Metadata Uploader component if they can’t apply the patch. Visual Composer should also be disabled, if it’s not actively used.

SAP’s security notes (1, 2) tell IT security personnel what to search for when looking for indicators of compromise.

“Jsp”, “java”, or “class” files in the \root, \work, and work\sync directories should be considered malicious.

If evidence of compromise is discovered, the investigation should be widened to determine what other systems and networks have been compromised and to proceed to clean up.

Onapsis has released an open-source scanner tool that organizations can use to check whether the affected component is present on the SAP Netweaver instance, whether it’s patched, and whether known webshells are present.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!