SAP has released emergency patches for a critical zero-day vulnerability in NetWeaver. The security flaw allows malicious files to be uploaded to the system without authentication. This makes it possible to gain control over servers, although SAP denies that customers have been affected. Nothing could be further from the truth, if two independent security teams are to be believed.
The vulnerability has been designated CVE-2025-31324 with a critical CVSS v3 score of 10.0. The flaw is located in the Metadata Uploader component of SAP NetWeaver Visual Composer. Attackers can exploit this bug to upload .exe files without login credentials. The end result: possible remote code execution and takeover of a server.
Although SAP’s own bulletin is not publicly accessible, security company ReliaQuest reported last week that an actively exploited vulnerability had been discovered in the ‘/developmentserver/metadatauploader’ endpoint of SAP NetWeaver Visual Composer – which corresponds to CVE-2025-31324.
Attack method and impact
According to ReliaQuest, quoted by BleepingComputer, multiple customers have been compromised via unauthorized file uploads to SAP NetWeaver. The attackers placed JSP webshells in publicly accessible directories, enabling remote code execution via simple GET requests to these JSP files. This allowed the attackers to execute commands from the browser and perform various file management tasks. After a mix of helper tools, malicious actors are able to cause more damage unseen.
ReliaQuest emphasized in their report that no authentication was required for exploitation. At the time, the compromised systems were also fully patched. This indicates that it was a zero-day vulnerability. Security company watchTowr also confirmed active exploitation of this vulnerability. This raises the question of whether SAP is still seeking confirmation from customers who may not be aware that they have been affected.
Protection against attacks
Applying the latest patch is strongly recommended. This security fix was released after SAP’s regular April 2025 update, which means that systems updated earlier this month are still vulnerable to CVE-2025-31324.
In addition, this emergency update also contains fixes for two other critical vulnerabilities: CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Landscape Transformation).
Mitigations are recommended for organizations that are unable to apply the updates immediately. For example, access to /developmentserver/metadatauploader-endpoint should be restricted, Visual Composer should be disabled if possible, and a SIEM should be provided with logs to detect suspicious activity.
ReliaQuest recommends performing a thorough environment scan to locate and remove suspicious files before applying these mitigation measures. After all, they are of little use if an attacker has entered undetected and moved laterally through the IT environment.
Conflicting reports
A spokesperson for SAP disputed in a statement to BleepingComputer that CVE-2025-31324 has been successfully exploited in actual attacks.
“SAP was notified of a vulnerability in SAP NETWEAVER Visual Composer that could allow unauthenticated and unauthorized code execution in certain Java Servlets,” the SAP spokesperson stated.
“SAP is not aware of any SAP customer data or systems being impacted by these vulnerabilities. A workaround was released on April 8, 2025, and a patch is currently available. Customers are advised to apply the patch immediately.”
It is not uncommon for confusion to arise about the exact nature and impact of zero-day vulnerabilities. In 203, researchers criticized the opacity of tech companies such as Apple and Google in reporting zero-days, which led to similar ambiguities for organizations trying to protect their systems.
For SAP administrators, the advice is clear: patching is the highest priority, regardless of the debate about whether the vulnerability is actively being exploited. The combination of a CVSS score of 10.0 and the potential impact makes immediate action necessary.
Read also: When is a critical vulnerability actually dangerous?