On May 13, 2025, SAP released its latest Security Patch Day updates, focusing on a critical zero-day vulnerability actively exploited across various industries. This release includes 16 new Security Notes and updates to two previously issued notes, with a significant emphasis on mitigating the severe NetWeaver vulnerability.
Critical SAP NetWeaver Zero-Day Remote Code Execution Vulnerability
The most pressing concern in this update is the critical vulnerability identified as CVE-2025-31324, which has been assigned the highest possible CVSS score of 10.0. This flaw resides in SAP NetWeaver’s Visual Composer development server component (VCFRAMEWORK 7.50). Initially reported by security research firm ReliaQuest on April 22, 2025, SAP promptly issued an emergency patch on April 24. The May update further strengthens defenses against evolving exploitation techniques.
The vulnerability stems from inadequate authentication and authorization checks within the application, particularly affecting the Metadata Uploader. This oversight allows unauthenticated users to exploit certain functionalities, leading to unauthorized file uploads, including malicious executables. Consequently, attackers can achieve complete system compromise.
Security researchers have traced exploitation attempts back to January 20, 2025, with active attacks commencing around February 10. Notably, attackers have been observed uploading JSP webshells, such as helper.jsp and cache.jsp, to maintain persistent access. The impact of this vulnerability spans multiple sectors, including energy, utilities, manufacturing, media, oil and gas, pharmaceuticals, retail, and government organizations.
Although SAP Visual Composer is not a default installation, research indicates it is present and enabled in at least 50% of Java systems, with some estimates reaching up to 70%. This widespread deployment significantly increases the potential attack surface. As of May 5, 2025, security firms have detected a second wave of attacks by opportunistic threat actors leveraging previously established webshells from the initial zero-day attack. Recent attacks have been attributed to a Chinese threat actor identified as Chaya_004.
Risk Factors:
– Affected Products: SAP NetWeaver Visual Composer development server (VCFRAMEWORK 7.50)
– Impact: Remote Code Execution (RCE), arbitrary file upload, full system compromise
– Exploit Prerequisites: Network access to vulnerable endpoint; no authentication required
– CVSS 3.1 Score: 10.0 (Critical)
Recommendations for Organizations:
Organizations utilizing SAP NetWeaver are strongly advised to:
1. Apply the Updated Patch: Implement the updated patch (SAP Note #3594142) immediately to mitigate the vulnerability.
2. Implement Workarounds: If immediate patching isn’t feasible, follow the workarounds detailed in SAP Note #3593336.
3. Conduct Compromise Assessments: Evaluate exposed systems for potential compromises to ensure security integrity.
Given that the vulnerability grants attackers
Additional Security Notes in May 2025 Release:
Beyond addressing the critical zero-day vulnerability, SAP’s May 2025 Security Patch Day includes several other important updates:
1. CVE-2025-31456 – Cross-Site Scripting (XSS) in SAP Fiori Launchpad:
– Description: A vulnerability allowing attackers to inject malicious scripts into the SAP Fiori Launchpad, potentially leading to unauthorized access and data manipulation.
– CVSS Score: 7.5 (High)
– Recommendation: Apply the provided patch to prevent exploitation.
2. CVE-2025-31567 – SQL Injection in SAP S/4HANA:
– Description: An SQL injection vulnerability in SAP S/4HANA that could enable attackers to execute arbitrary SQL commands, leading to data breaches and system compromise.
– CVSS Score: 8.2 (High)
– Recommendation: Implement the security update to mitigate the risk.
3. CVE-2025-31678 – Directory Traversal in SAP NetWeaver AS Java:
– Description: A directory traversal vulnerability that allows attackers to access restricted directories and files on the server, potentially exposing sensitive information.
– CVSS Score: 6.8 (Medium)
– Recommendation: Apply the necessary patch to secure the system.
4. CVE-2025-31789 – Denial of Service (DoS) in SAP BusinessObjects:
– Description: A vulnerability in SAP BusinessObjects that could be exploited to cause a denial of service, disrupting business operations.
– CVSS Score: 5.9 (Medium)
– Recommendation: Update to the latest version to prevent potential attacks.
Conclusion:
SAP’s May 2025 Security Patch Day underscores the company’s commitment to addressing critical vulnerabilities and enhancing the security of its products. Organizations are urged to review the released Security Notes, prioritize the application of patches, and implement recommended workarounds where necessary. Proactive measures are essential to safeguard systems against potential exploits and ensure the integrity of business operations.
