A critical zero-day vulnerability, identified as CVE-2025-31324, has been discovered in SAP NetWeaver systems, affecting over 400 devices worldwide. This flaw allows unauthenticated attackers to upload malicious files, potentially leading to full system compromise.
Discovery and Impact
The vulnerability resides in the Metadata Uploader component of SAP NetWeaver Visual Composer, specifically targeting the /developmentserver/metadatauploader endpoint. Due to inadequate authorization checks, attackers can exploit this endpoint to upload JSP webshells into publicly accessible directories. This flaw has been assigned the maximum CVSS severity score of 10.0, underscoring its critical nature.
Security researchers from ReliaQuest uncovered this vulnerability in April 2025 during incident response activities. Notably, the flaw has been actively exploited in the wild, even against fully patched SAP installations. The exploitation technique leverages a missing authorization check, enabling attackers to upload potentially malicious executable files without authentication. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Attack Methodology
In observed attacks, threat actors have employed sophisticated post-exploitation tools, including the Brute Ratel C4 framework, and evasion techniques such as Heaven’s Gate to bypass endpoint protection measures. Once compromised, affected systems can be used to deploy additional malware, establish persistent access, and exfiltrate sensitive data.
The vulnerability affects SAP NetWeaver Visual Composer, which is not installed by default but is present in approximately 50-70% of Java systems, according to research from Onapsis. The exploitation technique leverages a missing authorization check in the Metadata Uploader component, enabling attackers to upload potentially malicious executable files without authentication. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation Measures
In response to this critical threat, SAP released an emergency patch on April 24, 2025, through Security Note 3594142, outside of its regular patch cycle. Organizations are strongly encouraged to apply this patch immediately or implement the temporary workaround described in SAP Note 3593336 if patching is not immediately feasible.
To determine if your systems are vulnerable:
– Test if the URL path /developmentserver/metadatauploader is accessible without authentication.
– Review web server logs for unauthorized access attempts to this endpoint.
– Check for unexpected file uploads in web server logs.
– Monitor for unauthorized outbound connections from SAP systems.
Security experts recommend treating this as a highest-priority security update and implementing the provided patches as soon as possible. For organizations unable to patch immediately, implementing the recommended workarounds and enhanced monitoring is crucial to minimize risk exposure.
Broader Context
This incident is part of a series of vulnerabilities identified in SAP NetWeaver systems over recent months. In January 2025, SAP addressed two critical vulnerabilities: CVE-2025-0070, an improper authentication issue, and CVE-2025-0066, an information disclosure flaw. Both carried a CVSS score of 9.9 and posed significant risks to organizations.
Additionally, in December 2024, SAP patched multiple high-severity vulnerabilities in its NetWeaver Application Server for Java, specifically within the Adobe Document Services component. These flaws allowed attackers to upload malicious PDF files and potentially compromise sensitive information.
The recurrence of such vulnerabilities highlights the critical need for organizations to maintain robust security practices, including regular patching, continuous monitoring, and strict access controls.
Recommendations
Organizations using SAP systems should:
1. Apply Patches Promptly: Regularly monitor SAP’s security advisories and apply patches as soon as they are released.
2. Implement Strong Access Controls: Ensure that only authorized personnel have access to critical components and data.
3. Conduct Regular Security Audits: Periodically review system configurations and logs to detect and address potential vulnerabilities.
4. Enhance Monitoring: Deploy advanced monitoring tools to detect unusual activities and potential breaches promptly.
5. Educate Staff: Provide ongoing training to employees about security best practices and the importance of vigilance.
By taking these proactive measures, organizations can significantly reduce the risk of exploitation and safeguard their critical systems and data.
