SAP has released an emergency security patch addressing a critical zero-day vulnerability in NetWeaver Visual Composer that cybercriminals are actively exploiting. The vulnerability, tracked as CVE-2025-31324, has received the maximum CVSS severity score of 10.0, enabling unauthenticated remote code execution that poses an immediate threat to enterprise systems worldwide.
Understanding the Technical Impact
The security flaw resides in the Metadata Uploader component of SAP NetWeaver Visual Composer, specifically affecting the /developmentserver/metadatauploader pathway. This vulnerability allows unauthorized attackers to upload malicious executable files without authentication requirements, potentially leading to complete system compromise. Security researchers emphasize that the vulnerability’s ability to bypass authentication mechanisms makes it particularly dangerous for exposed systems.
Observed Attack Patterns and Exploitation
ReliaQuest security researchers have documented multiple successful attacks exploiting this vulnerability. Threat actors have been observed deploying JSP web shells in public directories, enabling remote command execution through simple GET requests. The attacks have successfully compromised even fully patched systems, confirming the zero-day nature of this vulnerability.
Advanced Post-Exploitation Techniques
Security analysts have identified sophisticated post-exploitation activities utilizing advanced adversary tools and techniques, including:
- Deployment of the Brute Ratel Red Team framework
- Implementation of Heaven’s Gate evasion techniques
- Exploitation of MSBuild for compiled code injection into dllhost.exe
Threat Actor Behavior and Attack Chain
WatchTowr’s analysis reveals that attackers are establishing persistent access through backdoor deployment. According to Benjamin Harris, WatchTowr’s CEO, the observed patterns suggest involvement of initial access brokers who compromise systems for resale to other threat actors. The tactical patience between initial compromise and subsequent malicious activities indicates sophisticated, organized cyber criminal operations.
Organizations utilizing SAP NetWeaver must take immediate action to mitigate this threat. Security teams should prioritize the deployment of SAP’s emergency security patch and conduct comprehensive system audits focusing on public directory contents and unauthorized system activity. Additionally, implementing robust monitoring solutions and maintaining detailed system logs is crucial for detecting potential compromise indicators. Time is critical – immediate patching and security assessment are essential to prevent unauthorized system access and data breach incidents.
