SAP Zero-Day: More than 10,000 SAP applications may be at risk due to a critical zero-day vulnerability that has already been leveraged in attacks for remote code execution.
Identified as CVE-2025-31324 (with a maximum CVSS score of 10/10), the vulnerability stems from missing authorization checks in the Visual Composer Metadata Uploader component of SAP NetWeaver.
According to a NIST advisory, the flaw enables an unauthenticated attacker to upload malicious executable binaries that could severely compromise the host system.
SAP has updated its April 2025 Security Patch Day advisory to address this critical issue with a newly released security note.
The vulnerability was uncovered by ReliaQuest during an investigation into intrusions affecting several customers, including attacks on systems that had already applied the latest SAP patches.
Initially, ReliaQuest suspected the unauthorized file upload and execution activities were related to the exploitation of CVE-2017-9844 (CVSS score 9.8), a previous Metadata Uploader flaw leading to denial-of-service (DoS) and remote code execution (RCE) via crafted serialized Java objects.
During the observed attacks, threat actors abused the Metadata Uploader to upload malicious JSP webshells through crafted POST requests, later triggering them using simple GET requests to gain full control of the compromised endpoint.
In every case, the webshells were deployed in the same root directory, exhibited similar functionality, and reused code from a public GitHub repository focused on remote code execution via file uploads.
The deployed webshell allowed attackers to deploy additional payloads, perform remote code execution (RCE), and engage in lateral movement across networks. ReliaQuest identified the use of several post-exploitation tools, notably the Brute Ratel command-and-control (C&C) framework and the Heaven’s Gate technique for bypassing in-memory endpoint protections.
Brute Ratel was leveraged to inject malicious code into Windows processes, upload and decrypt payloads directly in memory, and facilitate privilege escalation, bypassing security controls, credential theft, and lateral movement.
Meanwhile, Heaven’s Gate was employed to manipulate threads, enabling a switch from 32-bit to 64-bit execution during runtime.
In one case, we observed the attacker taking several days to transition from initial access to follow-up activities, ReliaQuest reported. “This delay suggests the attacker could be an initial access broker, aiming to sell access to other threat actors.
ReliaQuest also noted that it found no significant chatter about NetWeaver server access via webshells on cybercrime forums, leading to the conclusion that the attackers exploited a previously unknown and unreported remote file inclusion (RFI) vulnerability in SAP applications.
Based on the evidence, we assess with high confidence that this involves an unreported RFI vulnerability targeting public-facing SAP NetWeaver servers, ReliaQuest added. “It remains unclear if the issue affects only certain NetWeaver versions; however, all observed cases involved fully patched systems.
While ReliaQuest did not mention CVE-2025-31324 in its initial report, the newly assigned CVE identifier, linked to the Visual Composer Metadata Uploader flaw, appears directly connected to the observed zero-day exploitation.
According to Onapsis, a leading enterprise application security company, the flaw could potentially expose over 10,000 internet-facing SAP applications to cyberattacks.
Exploitation of this vulnerability grants attackers full control over SAP’s critical business processes and sensitive information, potentially leading to espionage, sabotage, and fraud, Onapsis warned in a statement to SecurityWeek. They also noted that customers across Cloud, RISE with SAP environments, and on-premises deployments are at risk.
However, Onapsis pointed out that the affected component is not enabled by default, and they are still investigating the extent of exposure to determine the exact number of impacted systems.
Related: CVE-2025-31324: Critical SAP NetWeaver Vulnerability Patched
Related: Critical Security Flaws Detected in SAP NetWeaver AS for Java
Related: 4 Critical High-Severity Vulnerabilities Added to CISA’s Exploited Vulnerabilities Catalog
Related: SAP AI Vulnerabilities Uncover Critical Cloud Security Gaps