Discovered in April 2025 by ReliaQuest security researchers during incident response activities, the vulnerability has already been weaponized in attacks against organizations running even fully-patched SAP installations. Organizations using SAP systems are advised to implement proper security monitoring and maintain regular patching schedules to minimize future exposure to similar threats. The vulnerability, tracked as CVE-2025-31324, allows unauthenticated attackers to upload malicious files to affected systems, potentially leading to complete system compromise. Security researchers note that in some observed attacks, threat actors employed sophisticated post-exploitation tools, including the Brute Ratel C4 framework, and evasion techniques such as Heaven’s Gate to bypass endpoint protection measures. “The vulnerability is particularly dangerous because it requires no authentication, is relatively straightforward to execute, requires no user interaction, and potentially gives attackers full control over the affected system,” Vahagn Vardanian of RedRays explained. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The vulnerability specifically targets the “/developmentserver/metadatauploader” endpoint, which lacks proper authorization checks, allowing attackers to upload JSP webshells into publicly accessible directories. The vulnerability affects SAP NetWeaver Visual Composer, which is not installed by default but is present in approximately 50-70% of Java systems, according to research from Onapsis. The exploitation technique leverages a missing authorization check in the Metadata Uploader component, enabling attackers to upload potentially malicious executable files without authentication. Shadow Servers have identified 454 SAP NetWeaver systems vulnerable to a critical zero-day vulnerability that has been actively exploited in the wild. SAP released an emergency patch on April 24, 2025, through Security Note 3594142, outside of its regular patch cycle. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. The critical flaw, which carries the maximum CVSS severity score of 10.0, affects the Metadata Uploader component of SAP NetWeaver Visual Composer. For organizations unable to patch immediately, implementing the recommended workarounds and enhanced monitoring is crucial to minimize risk exposure. Organizations are strongly encouraged to apply this patch immediately or implement the temporary workaround described in SAP Note 3593336 if patching is not immediately feasible.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 28 Apr 2025 02:30:16 +0000