Critical Vulnerability Exposed in SAP NetWeaver Visual Composer: Immediate Action Required
A recently identified vulnerability, classified as CVE-2025-31324, has emerged as a significant threat within SAP NetWeaver’s Visual Composer development server. The severity of this security flaw has been rated at a perfect 10.0, indicating the potential for complete system compromise, as detailed in a report by Onapsis Threat Intelligence. The vulnerability primarily arises from a failure to implement necessary checks that would confirm user permissions, making it a pressing concern for organizations relying on this software.
Research indicates that this alarming flaw is actively present in an estimated 50% to 70% of all existing SAP NetWeaver Application Server Java systems, despite the fact that the system is not installed automatically by default. This widespread vulnerability is particularly concerning, given the critical role that SAP technologies play in enterprise environments across various sectors.
The vulnerability, first reported by cybersecurity firm ReliaQuest, is situated in the development server component of SAP Visual Composer, which is part of the SAP NetWeaver version 7.xx. This component is specifically designed for building business tools without the need for detailed coding knowledge. However, the oversight in the system’s architecture allows unlogged users to access crucial functionality through the Metadata Uploader feature, as the system fails to enforce proper authentication and authorization checks.
On April 22nd, ReliaQuest documented unusual activities on certain patched SAP NetWeaver servers, raising alarms that attackers might be leveraging an alternative, unidentified security flaw. Coinciding with this observation, SAP acknowledged in their knowledge base that unusual files were being discovered within SAP NetWeaver Java systems. The company’s response included the release of specific guidance pointing to potentially malicious files with extensions such as ‘.jsp’, ‘.java’, or ‘.class’ found in particular directories, namely …\irj\root, …\irj\work, and …\irj\work\sync.
On April 24th, SAP formally announced the existence of CVE-2025-31324, attributing it to a lack of authorization checks in the Visual Composer development server. The company confirmed that this weakness enables unauthorized individuals to upload harmful executable files, elucidating the gravity of the situation. Additionally, SAP released an urgent out-of-band emergency update for NetWeaver systems to address the flaw.
The implications of this vulnerability are alarming; it is categorized as having both Missing Authorization (CWE-862) and Missing Authentication for Critical Functions (CWE-306). If exploited, it poses a significant risk of total control over a compromised system, justifying its extreme severity rating. The vulnerability can be exploited remotely through standard web communication methods such as HTTP and HTTPS. Attackers are specifically targeting the web address /developmentserver/metadatauploader, sending tailored requests that facilitate the upload of unauthorized files without the need for credentials.
Security experts have reported that nefarious individuals are already utilizing web shell files named “helper.jsp” or “cache.jsp.” These web shells allow attackers to execute commands with elevated permissions, effectively granting them complete control over the SAP systems. As Juan Perez-Etchegoyen, the Chief Technology Officer at Onapsis, stated, “Threat actors have been observed uploading web shells to vulnerable systems. These web shells allow the threat actor to execute arbitrary commands in the system context, with the privileges of the adm Operating System user, giving them full access to all SAP resources.”
In light of the situation, SAP is urging its customers to perform immediate risk assessments to determine whether their Java systems are affected. They advise checking the presence and version of the VCFRAMEWORK component—particularly if it is older than 7.5 or specifically 7.0 with a support package below 16—as the vulnerable component may not be included in the basic Java stack or default Solution Manager installations. The only effective strategy to mitigate risk is to implement SAP’s official fix swiftly.
Benjamin Harris, the CEO of Attack Surface Management firm watchTowr, echoed the urgency of the situation, explicitly warning that attackers are actively exploiting this vulnerability to upload arbitrary files, resulting in full system compromises. He stressed the immediacy of patching systems through SAP Security Note 3594142, exclaiming, “If you thought you had time, you don’t.” Harris emphasized the significant capabilities of their detection platform, which has allowed their clients to be alerted to exposures within a mere 12 hours.
Organizations utilizing SAP NetWeaver technologies are urged to take swift action to protect their systems, as this critical vulnerability presents a clear and present danger that cannot be overlooked. Swift assessment and timely patching are essential components in mitigating the exploits associated with CVE-2025-31324.