Over 10,000 SAP applications are potentially impacted by a critical zero-day vulnerability that has already been exploited in attacks for code execution.
Tracked as CVE-2025-31324 (CVSS score of 10/10), the security defect is described as the lack of proper authorization (missing authorization check) in the Visual Composer Metadata Uploader component of SAP NetWeaver.
The bug allows an “unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system,” a NIST advisory reads.
SAP has updated its April 2025 Security Patch Day advisory to include a security note addressing the NetWeaver vulnerability.
The flaw was discovered by ReliaQuest during an investigation into intrusions at multiple customers, including attacks on systems that had the latest SAP patches installed.
At a first glance, ReliaQuest says, the unauthorized file upload and execution activities appeared linked to the exploitation of CVE-2017-9844 (CVSS score of 9.8), a Metadata Uploader bug that could lead to denial-of-service (DoS) conditions and code execution via crafted serialized Java objects.
As part of the observed attacks, the Metadata Uploader has been abused to upload malicious JSP webshell files via crafted POST requests, and then execute them via simple GET requests, obtaining full control of the vulnerable endpoint.
In all cases, the JSP webshells were planted in the same root directory, had similar functionality, and shared code from a public GitHub repository on remote code execution (RCE) via file uploads.
The webshell enabled additional payload deployments, RCE, and lateral movement, and ReliaQuest identified several post-exploitation tools, including the Brute Ratel command-and-control (C&C) framework and the Heaven’s Gate in-memory endpoint protection bypass technique.
Brute Ratel was used to inject code into a Windows process, to upload and decrypt malicious payloads in memory. The framework also supports privilege escalation, security application bypass, credential exfiltration, and lateral movement.
Heaven’s Gate was used for thread manipulation, as it enables the transition from a 32-bit mode to a 64-bit mode during code execution.
“In one instance, we observed that it took several days for the attacker to move from initial access to performing follow-up actions. Based on this delay, we believe the attacker may be an initial access broker obtaining and selling access to other threat actors,” ReliaQuest notes.
The cybersecurity firm says it found no relevant chats about access to NetWeaver servers via a webshell on cybercrime forums, concluding that the exploited vulnerability was likely a new, unreported remote file inclusion (RFI) issue in SAP’s applications.
“Based on the available facts, we assess with high confidence that this involves the use of an unreported RFI issue against public SAP NetWeaver servers. It is currently unconfirmed whether this only impacts specific versions of NetWeaver; however, in the cases where these tactics were observed, the server had the most up-to-date patch,” ReliaQuest notes.
The cybersecurity firm did not mention CVE-2025-31324 in its report earlier this week, but the CVE identifier that was assigned on Thursday to the Visual Composer Metadata Uploader flaw appears to be linked to the observed zero-day exploitation.
According to enterprise application security firm Onapsis, the vulnerability could expose more than 10,000 internet-facing SAP applications to cyberattacks.
“The exploitation grants the attackers full control over SAP’s critical business processes and information, which could result in espionage, sabotage, and fraud. Customers using the vulnerable component across Cloud / RISE with SAP environments, cloud-native and on-premise deployment models, are impacted,” Onapsis told SecurityWeek.
The security firm also pointed out that, because the vulnerable component is not enabled by default, it is still “investigating whether it is possible to confirm the number of affected systems”.
Related: SAP Patches Critical Code Injection Vulnerabilities
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: Organizations Warned of Exploited SAP, Gpac and D-Link Vulnerabilities
Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access
