Critical SAP NetWeaver Flaw (CVE-2025-31324) Actively Exploited

A critical security flaw in SAP NetWeaver’s Visual Composer component, identified as CVE-2025-31324, has been actively exploited by threat actors.

This vulnerability allows unauthenticated attackers to upload malicious files, leading to potential full system compromise. SAP has released a patch to address this issue, and organizations are urged to apply it immediately.

CVE-2025-31324 Technical Overview

The vulnerability resides in the /developmentserver/metadatauploader endpoint of SAP NetWeaver’s Visual Composer. Due to missing authorization checks, attackers can upload malicious JSP files without authentication. Once uploaded to the servlet_jsp/irj/root/ directory, these files can be executed remotely, granting attackers control over the system.

Exploitation in the Wild

Security firm ReliaQuest discovered that attackers are leveraging this SAP vulnerability to deploy JSP web shells, facilitating unauthorized file uploads and code execution. Advanced techniques, including the use of Brute Ratel and the Heaven’s Gate method, have been observed to maintain persistence and evade detection. In some cases, attackers have taken days to move from initial access to further exploitation, suggesting the involvement of initial access brokers.

Indicators of Compromise (IOCs)

• Unauthorized access attempts to the /developmentserver/metadatauploader path.
• Unexpected JSP files in the servlet_jsp/irj/root/ directory, such as helper.jsp and cache.jsp.
• Unusual outbound connections from SAP systems.

Mitigation Steps

1. Apply the Patch: Implement SAP Security Note 3594142 to address CVE-2025-31324.
2. Restrict Access: Limit access to the /developmentserver endpoint through firewall rules.
3. Monitor Logs: Continuously monitor SAP NetWeaver logs for suspicious activities.
4. Inspect for Web Shells: Regularly check the servlet_jsp/irj/root/ directory for unauthorized files.
5. Disable Visual Composer: If not in use, consider disabling the Visual Composer component to reduce attack surfaces.

Organizations using SAP NetWeaver should prioritize these mitigation steps to protect against potential exploitation of this critical vulnerability.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me: