Software supplier SAP warns of active exploitation of a critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer. Attackers are not only exploiting the vulnerability, they are also placing webshells to maintain persistent access. SAP urgently advises installing the emergency patch and checking systems for abuse. The threat level is high, and the consequences could be significant.
Attackers are actively exploiting a critical vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324). The vulnerability is specifically located in the Metadata Uploader component, allowing unauthorized users to place malicious files, such as web shells, on the server without requiring a login. These webshells give attackers unlimited access to compromised systems.
Risk and threat increased
The active exploitation of the vulnerability in SAP NetWeaver was previously reported by the Dutch National Cyber Security Center (NCSC) and ReliaQuest, but was denied by SAP. Further investigation by SAP has now confirmed that attackers are indeed exploiting the vulnerability and successfully placing webshells. It is worrying that these webshells are now also being offered for sale online, which significantly increases the risk of abuse. The threat level has therefore been raised to High/High, indicating a high likelihood of both abuse and damage.
Affected products and updates
Although the focus is primarily on vulnerability CVE-2025-31324 in SAP NetWeaver Visual Composer, SAP has recently released more updates. These updates address vulnerabilities in a broader range of products. These include SAP Financial Consolidation, SAP Landscape Transformation, SAP NetWeaver Application Server ABAP, SAP Commerce Cloud, SAP ERP BW, SAP BusinessObjects Business Intelligence Platform, and SAP Solution Manager. A specific emergency patch is available for the critical vulnerability CVE-2025-31324.
Urgent advice: patch and check
The urgent advice is to install all available security updates as soon as possible, with priority given to the emergency patch for SAP NetWeaver vulnerability CVE-2025-31324. Organizations are advised to contact their IT service provider if they have any uncertainty about using the vulnerable software. Additionally, it is essential to scan systems for the presence of any web shells that may have already been installed.