In early 2025, a critical zero-day vulnerability identified as CVE-2025-31324 was discovered in SAP NetWeaver, a core component of SAP’s enterprise software suite. This flaw, carrying the highest possible CVSS score of 10.0, enables unauthorized remote code execution (RCE) on affected systems. The vulnerability resides in the NetWeaver Visual Composer component, which is integral for developing applications and user interfaces within the SAP environment.
Discovery and Initial Exploitation
The vulnerability was first detected by cybersecurity firm ReliaQuest, which observed active exploitation in the wild. Threat actors began probing vulnerable systems as early as January 20, 2025, marking the commencement of a series of attacks targeting this flaw. These initial incursions involved the deployment of malicious JavaServer Pages (JSP) webshells through specially crafted POST requests to the `/developmentserver/metadatauploader` endpoint. Once uploaded, these webshells allowed attackers to execute arbitrary commands remotely via subsequent GET requests.
Scope of the Attacks
The exploitation of CVE-2025-31324 has been widespread, affecting hundreds of SAP NetWeaver instances globally. Industries impacted include energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. The attackers demonstrated advanced knowledge of SAP systems, utilizing sophisticated tools such as Brute Ratel and Heaven’s Gate to achieve code execution and evade detection post-initial access.
Technical Details of the Vulnerability
The root cause of CVE-2025-31324 lies in the unrestricted file upload functionality within the Visual Composer component of SAP NetWeaver. By exploiting this flaw, attackers can upload malicious files to the `j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/` directory. These files can then be executed remotely, granting the attacker full control over the compromised system. Given that Visual Composer is included by default in SAP NetWeaver installations starting from version 2004s, the attack surface is significantly broad, exposing numerous organizations to potential compromise.
SAP’s Response and Mitigation Measures
On April 24, 2025, SAP released patches to address CVE-2025-31324. The company strongly recommends that customers apply these patches promptly to secure their SAP landscapes. In addition to patching, organizations are advised to implement the following measures:
– Regular System Audits: Conduct thorough audits of SAP systems to identify any unauthorized changes or anomalies.
– Enhanced Monitoring: Deploy advanced monitoring solutions to detect unusual activities indicative of exploitation attempts.
– Access Controls: Review and tighten access controls to minimize the risk of unauthorized access.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
Broader Implications and Industry Response
The exploitation of CVE-2025-31324 underscores the persistent threat posed by zero-day vulnerabilities in critical enterprise applications. The fact that attackers have been actively exploiting this flaw since January 2025 highlights the need for continuous vigilance and proactive security measures. Organizations across various sectors must recognize the importance of timely patch management and the implementation of robust security protocols to safeguard their systems against such sophisticated attacks.
Cybersecurity firms, including Onapsis and Mandiant, have been actively collaborating to investigate these attacks and provide guidance to affected organizations. Their analyses reveal that the threat actors involved possess a high level of expertise in SAP systems, indicating a well-coordinated and targeted approach to exploiting this vulnerability.
Conclusion
The discovery and subsequent exploitation of CVE-2025-31324 serve as a stark reminder of the critical importance of cybersecurity in protecting enterprise systems. Organizations utilizing SAP NetWeaver must act swiftly to apply the necessary patches and implement comprehensive security measures to mitigate the risks associated with this vulnerability. Continuous monitoring, regular system audits, and a proactive security posture are essential in defending against such sophisticated threats.
