A newly uncovered SAP zero-day vulnerability may have already been weaponized by cybercriminals—potentially putting more than 10,000 SAP applications at risk worldwide.
Security researchers say the flaw, now tracked as CVE-2025-31324, received the highest severity rating possible: a CVSS score of 10 out of 10. The vulnerability lies in SAP NetWeaver’s Visual Composer Metadata Uploader and stems from a critical missing authorization check. According to the U.S. National Institute of Standards and Technology (NIST), this bug allows unauthenticated attackers to upload executable files to a server—opening the door for full system compromise.
SAP quietly updated its April 2025 Security Patch Day advisory to include a fix, but by then, attackers had already begun exploiting the flaw in the wild.
Discovered During Live Attacks
The vulnerability first came to light through an investigation by cybersecurity firm ReliaQuest, which was analyzing active breaches across multiple SAP customers. Intriguingly, these attacks occurred even on systems that had the latest patches installed.
At first, analysts thought the attackers were leveraging an older issue—CVE-2017-9844, a bug also related to the Metadata Uploader that allowed denial-of-service and code execution via crafted Java objects. But deeper analysis showed something new: attackers were using the uploader to plant malicious JSP webshells through forged POST requests and then trigger them via simple GET requests.
The goal? Complete remote control of the compromised SAP NetWeaver servers.
All deployed webshells shared a common origin. They were dropped in identical directories and featured similar functionality, borrowing heavily from open-source code found on GitHub for remote file uploads and execution.
Advanced Tools and Indicators of Broker Activity
Once attackers gained access, they didn’t stop at just planting backdoors. ReliaQuest found signs of post-exploitation activity, including the use of Brute Ratel, a stealthy command-and-control framework popular among advanced persistent threat actors. It was used to inject malicious code, escalate privileges, bypass endpoint defenses, steal credentials, and move laterally within networks.
Another tactic involved Heaven’s Gate, a sophisticated method to bypass in-memory security by shifting from 32-bit to 64-bit code execution. This technique makes detection much harder for traditional security tools.
Interestingly, the attackers didn’t rush. In one case, it took days between the initial breach and follow-up activity. That gap led researchers to suspect an initial access broker—a threat actor who gains access to networks only to sell it later to others.
Is This a Brand-New Zero-Day?
The original ReliaQuest report didn’t cite CVE-2025-31324 by name. But given the timing and tactics, experts now believe the vulnerability matches the one disclosed last Thursday.
ReliaQuest also emphasized that this appears to be a previously unknown remote file inclusion (RFI) flaw. What’s more alarming: affected servers were fully updated, meaning the vulnerability slipped through even the most recent patch cycle.
Enterprise security company Onapsis added that the bug might impact more than 10,000 internet-facing SAP instances. The broader risk? Attackers could gain total control over SAP systems that handle business-critical operations—exposing organizations to potential espionage, fraud, or sabotage.
Onapsis noted that while the vulnerable component isn’t always enabled by default, it’s still difficult to estimate how many production systems may be exposed. Both cloud-native deployments and RISE with SAP customers are believed to be vulnerable.
For now, companies running SAP NetWeaver should immediately apply the latest patches and investigate whether the Metadata Uploader component is active in their environment.
