Critical SAP NetWeaver Zero-Day Vulnerability: What Your Houston Business Needs to Know

A critical zero-day vulnerability in SAP NetWeaver Visual Composer has been actively exploited in the wild, potentially affecting thousands of organizations worldwide. This vulnerability, tracked as CVE-2025-31324, has received the highest possible CVSS score of 10.0, indicating maximum severity. Organizations using SAP NetWeaver systems should take immediate action to protect their critical business assets.

 What is the Vulnerability?

CVE-2025-31324 is an unauthenticated file upload vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. This security flaw stems from a missing authorization check that allows attackers to upload malicious executable files without requiring authentication. Once exploited, this vulnerability grants attackers:

• Remote code execution capabilities
• Full system compromise
• Access to sensitive business data
• The ability to deploy malware, including webshells
• Potential lateral movement throughout organizational networks

 Severity of the Issue

With a perfect CVSS score of 10.0, this vulnerability represents the most critical level of security risk. Security researchers from multiple firms, including ReliaQuest, Onapsis, and watchTowr, have confirmed active exploitation in the wild. What makes this vulnerability particularly dangerous is:

• No authentication required for exploitation
• Simple attack vectors through HTTP requests
• Potential for complete system compromise
• Affects an estimated 50-70% of internet-facing SAP NetWeaver systems

 How is it Being Exploited?

Threat actors are exploiting this vulnerability by:

1. Targeting the /developmentserver/metadatauploader endpoint
2. Uploading malicious JSP-based web shells to the system
3. Using these web shells to execute remote code, upload additional files, and establish communications with command and control (C2) servers
4. In some cases, deploying advanced post-exploitation frameworks like Brute Ratel C4

Security researchers have observed attackers using techniques like Heaven’s Gate to bypass endpoint protection mechanisms, suggesting sophisticated threat actors behind these attacks.

 Who is Behind the Attacks?

While no specific threat group has been publicly attributed to these attacks, security experts believe the activity is likely tied to initial access brokers – specialized threat actors who compromise systems and then sell this access to other cybercriminals or ransomware gangs. The sophistication of the attacks and the selective targeting of high-value SAP systems indicate organized threat actors with specific objectives.

 Who is at Risk?

Organizations using SAP NetWeaver systems with the Visual Composer component enabled are at risk. This includes:

• Manufacturing companies
• Healthcare organizations
• Financial services firms
• Critical infrastructure operators
• Government agencies
• Any enterprise relying on SAP for business processes

SAP NetWeaver is widely used across various industries for enterprise resource planning (ERP) and other critical business functions. While the Visual Composer component is not installed by default, security researchers estimate that between 50-70% of internet-facing SAP NetWeaver systems have this component enabled.

 Remediation Steps

SAP has released an emergency out-of-band patch to address this vulnerability. Organizations should:

1. Apply the patch immediately: Install SAP Security Note #3594142
2. Implement temporary mitigations if patching isn’t possible:
   • Restrict access to the /developmentserver/metadatauploader endpoint
   • If Visual Composer is not in use, consider disabling it entirely
   • Forward logs to SIEM and scan for unauthorized files
   • Review logs for suspicious activities
3. Check for indicators of compromise:
   • Scan for suspicious JSP files in servlet paths
   • Look for unusual network connections
   • Monitor for unexpected system behavior
4. Engage incident response if compromise is suspected

How CinchOps Can Help Secure Your Business

At CinchOps, we understand the critical nature of SAP systems to your business operations. Our cybersecurity experts can help you:

1. Assess vulnerability: Quickly determine if your SAP systems are affected
2. Implement patches: Safely apply emergency patches with minimal disruption
3. Deploy mitigations: If immediate patching isn’t possible, we can help implement effective mitigations
4. Scan for compromise: Perform thorough investigations to determine if systems have already been breached
5. Enhance security posture: Develop long-term strategies to protect your SAP environment

Don’t leave your critical SAP systems exposed to this dangerous vulnerability. Contact CinchOps today for professional cybersecurity support that ensures your business operations remain secure and uninterrupted.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Patching Vulnerabilities Faster: The Key to Reducing Cyber Risk
For Additional Information on this topic: New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework

FREE CYBERSECURITY ASSESSMENT