Summary:
SAP has pushed out an emergency out-of-band update for a serious vulnerability in NetWeaver Visual Composer, tracked as CVE-2025-31324. The flaw is rated critical with a CVSS score of 10.0 and is already being actively exploited in the wild. It's an unauthenticated file upload bug in the Metadata Uploader component, which basically lets attackers upload whatever files they want — including malicious webshells — without needing credentials. Once uploaded, they can execute these files remotely, leading to full remote code execution and complete compromise of affected systems.

ReliaQuest was the first to spot activity, noticing attackers targeting the /developmentserver/metadatauploader endpoint. They observed multiple customer environments being compromised using unauthorized file uploads, specifically uploading JSP-based webshells into publicly accessible locations. These webshells enabled attackers to interact with the systems via simple GET requests — running commands, uploading or downloading files, and more. It’s very low-effort for the attacker once the file’s in place.

In later stages of the attack, adversaries were seen using post-exploitation tools like Brute Ratel, and employing techniques like Heaven's Gate, as well as injecting MSBuild-compiled payloads into dllhost.exe to maintain stealth and persistence. What's concerning is that ReliaQuest confirmed this worked on fully patched SAP systems, meaning it’s a true zero-day.

Security firm watchTowr also told BleepingComputer that they’re seeing active exploitation as well. According to their CEO, attackers are abusing SAP’s functionality to upload arbitrary files and gain RCE — and the activity is growing. There’s concern this will quickly escalate into widespread exploitation by multiple actors if organizations don’t act fast.

SAP hasn’t publicly released a detailed advisory yet, but they did ship the patch. This vulnerability wasn't included in the regular April 2025 Patch Tuesday, so if you applied updates earlier this month, you're still vulnerable. Also worth noting: the emergency update includes fixes for two other critical bugs — CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Landscape Transformation) — so this out-of-band patch covers more than just this one issue.

Security Officer Comments:
Honestly, this is the kind of exploit that feels like it was made for mass exploitation. It's unauthenticated, works on patched systems, allows full RCE, and it’s trivial to use once access is gained. Add in the use of Brute Ratel, stealth injection into legitimate processes, and known advanced evasion techniques, and you've got a recipe for deep, long-term access. The fact that attackers are already uploading webshells and interacting via browser GET requests says a lot about how easy this is to exploit — and it’s likely just the beginning. If this becomes more widely known, expect ransomware groups and other opportunistic actors to jump on it fast. This should absolutely be at the top of the priority list for any organization using SAP NetWeaver.

Suggested Corrections:

• Apply the Patch Immediately – Don’t assume your last SAP update covered this. If you only applied April’s Patch Tuesday on April 8th, you’re still exposed to CVE-2025-31324.
• Restrict Access to the Endpoint – Specifically block access to /developmentserver/metadatauploader until the patch can be applied.
• Disable Visual Composer (if possible) – If you’re not actively using it, just shut it down to eliminate the risk entirely.
• Send Logs to Your SIEM – Keep an eye on any unusual activity, especially around servlet paths or JSP file executions.
• Scan Your Environment – Look for unauthorized files and known webshell indicators. Do a deep file audit on servlet directories.
• Hunt for Post-Exploitation Activity – Brute Ratel, Heaven’s Gate techniques, and suspicious MSBuild activity in dllhost.exe should all be red flags.

Link(s):
https://www.bleepingcomputer.com/ne...cted-netweaver-zero-day-exploited-in-attacks/