Recent cybersecurity developments have brought to light an urgent threat as nefarious actors take advantage of a critical zero-day vulnerability in a partially deprecated SAP tool, widely utilized by various government entities and businesses across the globe. This vulnerability, identified as CVE-2025-31324, poses a significant risk, enabling attackers to execute potentially harmful payloads through web-based interfaces.

The flaw specifically affects SAP Visual Composer, a tool employed in creating both transactional and analytical applications. Security experts rate this vulnerability with a maximum severity score of 10, indicating its critical nature. Unauthenticated users can exploit this flaw to upload webshells—malicious scripts that grant unauthorized control of the systems. Such breaches can have dire implications for organizations relying on this tool for mission-critical operations.

On April 28, 2025, SAP’s security team communicated that CVE-2025-31324 is currently “actively exploited in the wild.” A critical point emphasized by SAP is that the vulnerability allows any unauthorized individual—including unauthenticated threat actors—to engage with the compromised component, making it alarming for many businesses and institutions that may not have implemented adequate security measures.

Though certain versions of Visual Composer were deprecated back in 2015, SAP has extended support for version 7.5 until 2030. This extended maintenance grants many organizations that have not migrated to newer software the opportunity, but it also means that the vulnerability persists in systems still reliant on these outdated tools.

The exploitation of this flaw is particularly concerning, as it is reported to specifically impact the “development server” component within the SAP Visual Composer, which is part of the SAP NetWeaver 7.xx systems. This server is intended to facilitate the development of business components without requiring coding expertise. As a result, many users may have left this functionality enabled, therefore widening the attack surface for potential intruders.

Attackers can manipulate the vulnerability by sending POST requests to the /developmentserver/metadatauploader URL, thereby gaining the ability to upload dangerous code files, typically webshells. The security team at SAP has noted filenames like ‘helper.jsp’ and ‘cache.jsp’ being commonly observed among these malicious uploads, indicating a systematic approach by hackers to exploit the weaknesses in this tool.

In a report released over the weekend, internet monitoring group Shadow Server Foundation disclosed that at least 454 IP addresses across the globe are currently vulnerable, with a significant concentration located within the United States. This information underscores the gravity of the situation, alerting organizations that may be caught unaware of their susceptibility to attack.

Furthermore, security firm ReliaQuest has been closely monitoring incidents involving the exploitation of the vulnerability. They documented multiple instances where attackers uploaded ‘JSP webshells’ to gain access to sensitive systems and execute harmful actions. An analysis of these incidents revealed that the objective behind introducing such a webshell was to issue GET requests that would trigger arbitrary command execution, further escalating their control within the targeted environments.

Additionally, it was observed that these attackers employed the pen testing tool Brute Ratel to deploy and decrypt malicious payloads aimed at escalating privileges, stealing credentials, and ensuring persistence within the compromised systems. ReliaQuest analysts also posited that the granting of access likely stemmed from credentials procured through initial access brokers, raising alarms over the overall integrity of SAP systems.

Given the severity of this situation, security experts recommend that organizations take immediate action to disable Visual Composer entirely. Additionally, they advise disabling or restricting access to the development server, further mitigating potential exploitation avenues. The ramifications of neglecting these recommendations could be dire, leading to system breaches, data theft, and significant financial losses.