A critical zero-day vulnerability in SAP NetWeaver systems (CVE-2025-31324) is currently being actively exploited by threat actors, according to security researchers. The vulnerability, which affects the Visual Composer component, allows unauthenticated attackers to upload arbitrary files to SAP systems, potentially leading to complete system compromise.
The flaw, assigned a maximum CVSS score of 10.0, specifically impacts the "developmentserver" component within SAP Visual Composer, part of the SAP NetWeaver Java stack. Although not installed by default, Visual Composer is widely deployed across SAP environments due to its popularity among business process specialists for developing components without coding.
Security firm Onapsis reports that the vulnerability exists in all SAP NetWeaver 7.xx versions and all support package stacks (SPS). According to their research, the vulnerable component is installed in approximately 50-70% of Java systems.
"The fundamental issue is an improper authentication and authorization check in the application," explains Onapsis in their report. "This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality."
Attack Method and Impact
Exploitation occurs through HTTP/HTTPS, with attackers targeting the "/developmentserver/metadatauploader" URL by sending crafted POST requests. No authentication is required, making internet-facing SAP systems particularly vulnerable.
Once exploited, attackers can upload malicious files, primarily webshells with names like "helper.jsp" and "cache.jsp." These webshells provide command execution capabilities with the privileges of the "<sid>adm" operating system user, effectively granting full access to all SAP resources.
ReliaQuest, which first publicly reported the exploitation, observed attackers deploying sophisticated post-exploitation tools including "Brute Ratel" and using the "Heaven's Gate" technique to maintain persistence.
Remediation Steps
SAP released an emergency patch, via Security Note #3594142. Organizations unable to patch immediately can implement workarounds detailed in SAP Note #3593336, which include restricting access to the vulnerable endpoint or disabling Visual Composer entirely if not in use.
Security experts recommend:
- Immediately identifying all systems with the vulnerable component
- Applying the latest patches or implementing the recommended mitigations
- Conducting compromise assessments if systems were exposed
For potentially compromised systems, SAP has provided guidance in Note #3596125 to search for unauthorized JSP, Java, or class files in specific directories as indicators of compromise.
It is important to note that at the time of writing, exploit code has already been published. It has been found that active exploitation of this vulnerability continues in the wild.
While SAP stated to BleepingComputer that they are "not aware that SAP customer data or systems were impacted," multiple security firms including Onapsis, ReliaQuest, and watchTowr have confirmed observing active exploitation in the wild.
Given the severity of this vulnerability and its active exploitation, organizations are strongly advised to prioritize remediation efforts to protect their critical SAP infrastructure.