SAP Addresses Critical Vulnerability in NetWeaver Visual Composer
In a significant development, the German software giant SAP has disclosed and addressed a highly critical vulnerability in its NetWeaver Visual Composer development server. This announcement follows alarming evidence of exploitation occurring in the wild, prompting urgent action.
The NetWeaver Visual Composer serves as SAP’s robust web-based modeling tool designed to assist business process experts and developers in creating business application components without the need for manual coding. Its extensive functionality makes it a vital component in SAP’s ecosystem, used by countless organizations for application development.
The vulnerability in question, identified as CVE-2025-31324, pertains to an unauthenticated file upload vulnerability found within the Metadata Uploader component of SAP NetWeaver Visual Composer Framework version 7.50. According to SAP, this security flaw allows an attacker without authorization to upload potentially harmful executable binaries, which could lead to severe repercussions for the host system.
As indicated on the CVE.org page for CVE-2025-31324, the ramifications of this vulnerability could significantly compromise the confidentiality, integrity, and availability of targeted systems. Recognizing the gravity of the situation, SAP has allocated a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS v3.1), signaling the urgent need for remediation.
In response to this critical threat, SAP has released a fix through an emergency security update. However, the update is exclusively accessible to SAP customers, who are strongly urged to implement the new versions without delay to secure their systems.
Evidence of Exploitation
The roots of this vulnerability trace back to April 2025, when cybersecurity firm ReliaQuest identified it during an investigation of multiple customer incidents involving SAP NetWeaver. Their investigation revealed unauthorized file uploads and the execution of potentially malicious files, raising alarms about systemic vulnerabilities within the prevalent technology integration platform.
In an article published on April 22, ReliaQuest elaborated on its findings, revealing that attackers had managed to upload “JSP webshells” into publicly accessible directories. This technique closely resembles a remote file inclusion (RFI) vulnerability, further amplifying concerns about the security gaps in commonly used software. Significantly, several of the affected systems were already operating the latest SAP service pack and had applied the patches included in SAP’s routine monthly update released on April 8. This detail indicates that the systems had fallen victim to what is known as a zero-day exploit, meaning the vulnerability was actively being exploited before any known fixes were available.
The ReliaQuest report highlighted that SAP later confirmed the flaw as an unrestricted file upload vulnerability, clarifying that attackers could upload malicious files directly to the system without any form of authorization. This revelation has heightened scrutiny over the robustness of SAP’s security posture.
Additionally, ReliaQuest noted that the exploitation appears to be associated with previously disclosed vulnerabilities, such as CVE-2017-9844, or may stem from an undisclosed RFI issue. Attackers are suspected of employing sophisticated tools such as Brute Ratel and Heaven’s Gate not only to execute their malicious code but also to evade detection.
Upon being made aware of the vulnerabilities by ReliaQuest, SAP, which holds the status of a CVE Numbering Authority (CNA), acted promptly to make a public announcement about the vulnerability on April 24 and subsequently launched the necessary fix.
According to the insights shared by ReliaQuest, SAP’s platforms are especially appealing targets for threat actors for several reasons. For one, these solutions are frequently utilized by government entities, meaning a successful breach could grant access to sensitive government networks and information. Moreover, the on-premises deployment of many SAP systems places the onus of security measures on the end-users, which can lead to significant risks if updates and patches are not applied in a timely manner.
In summary, SAP’s revelation and immediate rectification of this critical vulnerability signals the company’s commitment to maintaining the integrity of its platforms. However, the urgency of the situation also serves as a reminder for all organizations utilizing SAP technologies to prioritize security and ensure prompt updates to mitigate risks associated with vulnerabilities.