Max severity zero-day in SAP NetWeaver actively exploited

A critical zero-day vulnerability in SAP NetWeaver, designated CVE-2025-31324 and provided a maximum CVSS score of 10, has been discovered and is reportedly being exploited in the wild.

The flaw resides in the SAP NetWeaver Visual Composer’s Metadata Uploader component and permits unauthenticated users to upload and execute malicious files, potentially compromising the host system. The vulnerability was discovered by researchers conducting investigations into breaches affecting multiple clients, including those with up-to-date SAP patches.

Threat actors have been observed exploiting this vulnerability by uploading JSP webshells through crafted POST requests and activating them via GET requests, thereby gaining full control over the affected systems. These webshells, consistent in structure and functionality, facilitated further malicious activities such as deploying additional payloads, executing remote code, and moving laterally within networks.

Tools like the Brute Ratel command-and-control framework and the Heaven’s Gate technique were employed to enhance these operations.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Notably, in some instances, there was a several-day delay between the initial breach and subsequent malicious actions, suggesting that the perpetrators might be initial access brokers aiming to sell system access to other threat actors. SAP has since released a patch for the vulnerability.

Source: SecurityWeek

Analysis

This vulnerability could have a significant impact due to both its severity and the critical systems it affects. What makes this particularly alarming is that roughly 10,000 internet-exposed SAP instances could be impacted, dramatically increasing the attack surface.

These systems often support essential business operations—such as finance, supply chain, and HR—making them prime targets for threat actors.

Evidence suggests this flaw is already being exploited in the wild, likely by initial access brokers who infiltrate enterprise networks and sell that access to other cybercriminals, including ransomware groups and espionage actors.

SAP vulnerabilities have been exploited in the past for a range of malicious purposes. One notable case was the RECON vulnerability (CVE-2020-6287), which enabled threat actors to take over SAP systems without authentication and was actively targeted soon after its disclosure. Such exploits have been used to exfiltrate sensitive data, commit financial fraud, plant ransomware, or establish long-term surveillance within compromised environments.

Given SAP’s central role in many large organizations and critical infrastructure, this new zero day underscores the urgent need for patching, proactive threat hunting, and minimizing exposure of SAP systems to the internet.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats related to vulnerable software. Field Effect MDR users are automatically notified if vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect highly recommends that organizations update SAP NetWeaver instances impacted by CVE-2025-31324 as soon as possible in accordance with SAP’s advisory.

Related Articles

• Zero-day vulnerability in Ivanti Connect Secure exploited for weeks
• Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
• Microsoft Patch Tuesday addresses six actively exploited zero-days;