SAP disclosed a critical zero-day vulnerability, identified as CVE-2025-31324, in its NetWeaver Visual Composer component.
This vulnerability, with a maximum CVSSv3 severity score of 10.0, stems from a missing authorization check within the Metadata Uploader module of Visual Composer.
When exploited, it allows unauthenticated attackers to upload arbitrary malicious files via specially crafted POST requests to the endpoint /developmentserver/metadatauploader.
.png
)
Despite the vulnerable component not being part of the default NetWeaver installation, security researchers from SAP partner Onapsis have warned that Visual Composer is widely enabled across various enterprise deployments.
Visual Composer integrates deeply with SAP NetWeaver Portal, facilitating access to SAP Business Suite systems, SAP NetWeaver Business Warehouse, and third-party data services, making this flaw particularly dangerous.
Exploitation in the Wild
Security firm Rapid7’s team has observed active exploitation dating back to March 27, 2025.
The primary victims appear to be manufacturing companies, suggesting targeted attacks against this sector. Adversaries leverage the flaw to drop webshells-malicious scripts that provide persistent remote access-within the directory:
j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/Threat intelligence reports highlight webshells named helper.jsp and cache.jsp, along with multiple others using randomized eight-character filenames such as:
- cglswdjp.jsp
- ijoatvey.jsp
- dkqgcoxe.jsp
- ylgxcsem.jsp
- cpyjljgo.jsp
- tgmzqnty.jsp
These webshells enable attackers to maintain stealthy control over compromised servers and potentially move laterally within target networks.
No specific threat actor group has been publicly linked to these attacks.
Mitigation and Response Recommendations
All versions of SAP NetWeaver 7.xx and associated service packs are vulnerable. SAP recommends customers urgently take the following steps:
- Check Visual Composer Installation
Verify if Visual Composer is installed by accessing the system info page at:
http://<host>:<port>/nwa/sysinfoLook for the software component VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA). If it is not present, the vulnerability is not applicable.
- Apply Emergency Updates
Immediately update to the latest version of NetWeaver AS that contains a fix for CVE-2025-31324. Do not wait for the standard patch cycle. Note that patching does not remove any pre-existing compromises. - Disable Visual Composer if Unable to Patch
Follow SAP’s official guidelines to disable Visual Composer to prevent exploitation. - Restrict Endpoint Access
Limit or block access to the vulnerable endpoint /developmentserver/metadatauploader through network controls. - Investigate for Signs of Compromise
Search for unexpected .jsp, .java, or .class files in the following directories, as their presence likely indicates compromise:
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
C\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\syncEnterprises running SAP NetWeaver should treat this vulnerability with the highest priority to prevent further unauthorized access and potential data breaches.
Continuous monitoring and rapid response will be key to mitigating damage from ongoing attacks exploiting CVE-2025-31324.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
