SAP Patches CVE-2025-31324 Zero-Day: Critical NetWeaver Vulnerability Actively Exploited

SAP has released an out-of-band patch for CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer, following reports of active exploitation. The flaw allows unauthenticated attackers to upload arbitrary files, resulting in full system compromise. Organizations running affected SAP NetWeaver Java systems should patch immediately. ¹, ²

Key Takeaways

• CVE-2025-31324 is a critical, unauthenticated file upload vulnerability (CVSS 10.0) ³ in SAP NetWeaver Visual Composer's Metadata Uploader component.
• The vulnerability allows remote attackers to upload webshells and execute arbitrary code with system privileges.
• Active exploitation was observed in April 2025, with attackers targeting Internet-facing SAP systems.
• SAP released an emergency patch (Security Note #3594142) on April 24, 2025; prior monthly patches do not address this flaw.
• All organizations using SAP NetWeaver Visual Composer are strongly urged to patch immediately and check for signs of compromise.

Vulnerability Details

CVE-2025-31324 affects the Metadata Uploader component of SAP NetWeaver Visual Composer (Java stack, all SPS). The flaw is due to missing authentication and authorization checks on the /developmentserver/metadatauploader endpoint, allowing unauthenticated attackers to upload arbitrary files (e.g., webshells) to the server. Exploitation can lead to full system compromise, impacting confidentiality, integrity, and availability. ², ⁴, ³

Exploitation Timeline

• April 22, 2025: ReliaQuest and other security firms report active exploitation and share technical details with SAP.
• April 24, 2025: SAP releases Security Note #3594142, assigning CVE-2025-31324 and providing an emergency patch.
• April 26, 2025: Onapsis and Tenable confirm widespread exploitation and urge immediate patching.

Impact and Business Risk

• Attackers can upload and execute arbitrary code, leading to full takeover of SAP systems.
• Webshells observed in the wild (e.g., helper.jsp, cache.jsp) grant attackers persistent access and control.
• Exploitation can result in data theft, operational disruption, and further lateral movement within enterprise networks.

Indicators of Compromise (IOCs)

• Presence of .jsp, .java, or .class files in:
  • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
  • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
  • /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync
• Known webshell hashes:
  • helper.jsp: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
  • cache.jsp: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
• Review SAP KBA 3596125 for additional detection and response guidance.

Mitigation and Recommendations

• Apply SAP Security Note #3594142 immediately. Prior monthly patches do NOT address this zero-day.
• If patching is not immediately possible, follow the workaround steps in SAP Note #3593336.
• Review systems for IOCs and unauthorized files as described above.
• Follow SAP’s incident response guidance if compromise is suspected.

Final Thoughts

This incident highlights the critical importance of timely patching and continuous monitoring of SAP environments. Organizations should prioritize patching, review their exposure, and monitor for further updates from SAP and trusted security partners.

Related Articles

• 2025-04-08-microsoft-zero-day
• 2025-04-08-apple-zero-days
• 2025-04-26-craft-cms-cve-2025-32432-zero-day-exploit-chain