Shadow Servers has recently uncovered a significant cybersecurity threat involving 454 vulnerable SAP NetWeaver systems. These systems are compromised by a critical zero-day flaw identified as CVE-2025-31324. This vulnerability has been actively exploited in the wild, posing a serious risk to organizations relying on SAP technologies. The nature of the flaw allows unauthenticated attackers to upload malicious files, potentially leading to a complete system compromise.
The flaw, rated with a maximum CVSS severity score of 10.0, specifically affects the Metadata Uploader component of SAP NetWeaver Visual Composer. This component is crucial for many business applications and has been a focus for attackers seeking to exploit weaknesses in enterprise systems. The discovery of this vulnerability occurred in April 2025 during an incident response by ReliaQuest security researchers, who noted that even fully patched SAP installations have found themselves under threat from this flaw.
At the heart of this vulnerability lies the “/developmentserver/metadatauploader” endpoint, which has been revealed to lack sufficient authorization checks. This critical oversight allows attackers to upload JSP webshells into publicly accessible directories, thereby enabling them to execute malicious commands on compromised systems. The vulnerability falls under the classification of CWE-434, which denotes the “Unrestricted Upload of File with Dangerous Type.” This designation underscores the severity of the flaw, given that it does not necessitate any form of authentication or user interaction, making it exceptionally perilous for organizations.
Threat actors exploiting this vulnerability have been observed employing sophisticated post-exploitation tools such as the Brute Ratel C4 framework. They also utilize evasion techniques, including what is termed “Heaven’s Gate,” to escape detection. Security experts note that the ramifications of exploiting this vulnerability can be severe. Once attackers gain access, they can deploy malware, maintain persistent access, and extract sensitive data from affected systems.
The SAP NetWeaver Visual Composer, which the vulnerability directly targets, is integral to an extensive number of enterprise applications. According to estimates by Onapsis, this component is present in 50-70% of Java systems employed across various industries. The extensive deployment of this component exacerbates the risk associated with the discovered flaw, threatening a wide range of organizations that utilize these systems for critical business operations.
In response to this alarming cybersecurity risk, SAP has acted promptly by releasing an emergency patch on April 24, 2025. This patch is detailed in Security Note 3594142 and is aimed at mitigating the vulnerabilities presented by CVE-2025-31324. Organizations are strongly advised to apply this patch without delay. Alternatively, SAP has also provided a temporary workaround described in SAP Note 3593336 for those unable to implement the patch immediately.
Organizations are encouraged to take proactive measures to verify if the vulnerable endpoint is accessible without authentication. Additionally, reviewing web server logs for unauthorized file uploads and monitoring outbound connections can further help identify potential exploitation attempts. Security professionals emphasize that this vulnerability should be prioritized, highlighting the critical need for timely patching and the enhancement of monitoring efforts to mitigate risks associated with this severe flaw.
The discovery of CVE-2025-31324 is a stark reminder of the ever-evolving landscape of cybersecurity threats, revealing just how critical it is for organizations to secure even the most fundamental system functions. Experts continue to stress the importance of a vigilant security posture, urging organizations to remain ahead of potential threats and safeguard their systems against malicious activities.
In conclusion, the identification of this zero-day vulnerability warrants immediate attention to secure SAP NetWeaver systems. With the possibility of complete system compromise at stake, organizations must prioritize swift action to protect their infrastructures. Ensuring the implementation of security patches and adopting comprehensive monitoring strategies will be instrumental in mitigating the risks associated with exploiting this newfound vulnerability.