Critical vulnerability in SAP NetWeaver under threat of active exploitation

Security researchers warn that hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. 

The vulnerability, tracked as CVE-2025-31324, could allow an unauthenticated user to upload malicious executable binaries. The vulnerability has a severity score of 10.  

Researchers from Reliaquest disclosed the vulnerability to SAP after an investigation uncovered attackers uploading JSP webshells into publicly accessible directories. 

Researchers initially suspected the hackers were exploiting an old vulnerability, tracked as CVE-2017-9844, or an unreported remote-file-inclusion vulnerability. However, Reliaquest observed compromises of up-to-date systems.

“Vulnerability CVE-2017-9844 was designated for DoS and possible RCE (no mention of RFI) with requests to the same URI, and, as such, we feel this is net new or scope expansion,” a Reliaquest spokesperson told Cybersecurity Dive on Tuesday.

Reliaquest researchers warn that the SAP technology is widespread among government agencies and that a successful compromise could give hackers access to government networks. 

Attackers are using Brute Ratel and Heaven’s Gate for execution and evasion, according to Reliaquest. 

An SAP spokesperson confirmed that the company was alerted to a vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

The company said it was not aware of any compromises of customer data or systems. It released a workaround on April 8 and is working on a patch that will be available on April 30. The spokesperson said customers should apply that patch immediately.

Despite SAP’s assurances of no immediate impact, security companies are reporting ongoing attempts to exploit the vulnerability. 

Researchers at watchTowr are seeing threat actors drop webshell backdoors and gain further access.

“This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties,” Benjamin Harris, CEO of watchTowr, told Cybersecurity Dive via email. “If you thought you had time, you don’t.”

Onapsis Research Labs has identified more than 10,000 internet-facing SAP applications that may be at risk of breach due to the vulnerability, according to CEO Mariano Nunez. 

Onapsis estimates that “50%-70% of these apps have the vulnerable component enabled and are likely already compromised,” Nunez added.

The vulnerable component is not enabled by default, however, so Onapsis is trying to confirm the number of vulnerable affected systems.