SAP NetWeaver customers urged to deploy patch for critical zero-day vulnerability

Attackers have been exploiting a critical zero-day vulnerability in the Visual Composer component of the SAP NetWeaver application server since early this week. SAP released an out-of-band fix that’s available through its support portal and it should be applied immediately, especially on systems that are directly exposed to the internet.

“Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full remote code execution and total system compromise,” Benjamin Harris, CEO of cybersecurity firm WatchTowr, told CSO. “This isn’t a theoretical threat — it’s happening right now. WatchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access.”

The vulnerability, tracked as CVE-2025-31324, received the maximum severity score of 10 on the CVSS scale. Customers should apply the fix in SAP Security Note 3594142 (requires authentication), but if they can’t immediately they should disable or prevent access to the vulnerable component by following instructions in SAP note 3596125, researchers from SAP-focused security firm Onapsis said in an advisory.

Initial access broker deploys insecure web shells

The attacks targeting CVE-2025-31324 were initially reported Tuesday by researchers from security firm ReliaQuest who investigated break-ins that resulted in JSP web shells being installed on SAP servers. Web shells are web scripts that function as backdoors and allow attackers to execute additional commands or upload additional files to web servers.

SAP NetWeaver is the application server and runtime environment that underpins most SAP software products as well as custom business applications built by customers. The SAP NetWeaver Visual Composer is a web-based software modelling tool that allows users to design and produce applications without writing any code. The good news is that Visual Composer is not enabled by default on SAP deployments.

The attacks investigated by ReliaQuest targeted a server endpoint called /developmentserver/metadatauploader, which is designed to handle metadata files for application development and configuration in SAP applications in the NetWeaver environment. But while this endpoint is meant to transfer and process configuration files, it seemed that attackers found a way to abuse it to write web shell files in the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory.

The ReliaQuest suspected the attacks — which involved specifically crafted POST requests — might be exploiting a previously unknown remote file inclusion (RFI) vulnerability, but it turned out it was a much more serious unrestricted file upload vulnerability.

“The goal of the web shell was clear: Use the JSP file to send GET requests that would execute arbitrary commands,” the researchers said. “This web shell gave attackers the tools to upload unauthorized files, seize deeper control of compromised systems, execute remote code at will, and potentially steal sensitive data by placing it in publicly accessible directories.”

Post-compromise activity involved deployment of additional payloads such as the Brute Ratel and Heaven’s Gate malware implants. However, it usually took days between a web shell was installed and follow-up activity was observed. This delay and difference in payloads made the researchers suspect that the attacks were the work of an initial access broker who was selling access to compromised servers to other groups who then deployed their own payloads.

The initial access broker theory is also supported by watchTowr, whose researchers believe that access was or will be sold to ransomware gangs. The bad news, however, is that the access broker took no steps to secure their web shell with authentication.

“The fatal flaw in their plan though, and ultimately the challenge they may now face, is that the deployed backdoors did not restrict who could utilize the backdoor — now that this information is public, ransomware gangs will likely discover the deployed backdoors by themselves and bypass the need for said initial access broker,” watchTowr’s Harris told CSO.

Detection and remediation

Companies can test whether their servers are vulnerable by checking if they can access https://[your-sap-server]/developmentserver/metadatauploader without authentication. If the server is exposed publicly and this page can be accessed without credentials, then the logs should be checked for signs of exploitation. According to SAP security firm RedRays this includes:

• Looking for unauthorized access attempts to the /developmentserver/metadatauploader path
• Checking for unexpected file uploads in web server logs
• Searching for unusual execution patterns or suspicious processes on your SAP server
• Monitoring for unauthorized outbound connections from your SAP systems

The company has provided patterns to search for in the web server access logs and advises users to restrict access to the Metadata Uploader component until patches can be applied.