SAP has released out-of-band emergency updates for NetWeaver to fix an actively exploited remote code execution (RCE) vulnerability used to hijack servers.
The vulnerability, tracked under CVE-2025-31324 and rated critical (CVSS v3 score: 10.0), is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component.
It allows attackers to upload malicious executable files without needing to log in, potentially leading to remote code execution and full system compromise.
Though the vendor’s bulletin isn’t public, ReliaQuest reported earlier this week about an actively exploited vulnerability on SAP NetWeaver Visual Composer, specifically the ‘/developmentserver/metadatauploader’ endpoint, which aligns with CVE-2025-31324.
ReliaQuest reported that multiple customers were compromised via unauthorized file uploads on SAP NetWeaver, with the attackers uploading JSP webshells to publicly accessible directories.
These uploads enabled remote code execution via simple GET requests to the JSP files, allowing command execution from the browser, file management actions (upload/download), and more.
In the post-exploitation phase, the attackers deployed the ‘Brute Ratel’ red team tool, the ‘Heaven’s Gate’ security bypassing technique, and injected MSBuild-compiled code into dllhost.exe for stealth.
ReliaQuest noted in the report that exploitation did not require authentication and that the compromised systems were fully patched, indicating that they were targeted by a zero-day exploit.
Security firm watchTowr also confirmed to BleepingComputer they are seeing active exploitation linked to CVE-2025-31324.
“Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise,” stated watchTowr CEO Benjamin Harris.
“watchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access.”
“This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties.”
BleepingComputer contacted SAP with questions about the active exploitation but has not received a response at this time.
Protect against attacks now
The vulnerability impacts the Visual Composer Framework 7.50 and the recommended action is to apply the latest patch.
This emergency security update was made available after SAP’s regular ‘April 2025’ update, so if you applied that update earlier this month (released on April 8, 2025), you’re still vulnerable to CVE-2025-31324.
Moreover, the emergency update includes fixes for two more critical vulnerabilities, namely CVE-2025-27429 (code injection in SAP S/4HANA) and CVE-2025-31330 (code injection in SAP Landscape Transformation).
Those unable to apply the updates that address CVE-2025-31324 are recommended to perform the following mitigations:
- Restrict access to the /developmentserver/metadatauploader endpoint.
- If Visual Composer is not in use, consider turning it off entirely.
- Forward logs to SIEM and scan for unauthorized files in the servlet path.
ReliaQuest recommends performing a deep environment scan to locate and delete suspect files before applying the mitigations.
