28 April – 04 May 2025
White Hat IT Security’s CVE Of The Week, CVE-2025-31324, is a critical zero-day vulnerability affecting SAP NetWeaver’s Visual Composer component, publicly disclosed in late April, 2025.
With a maximum CVSS score of 10.0, it allows unauthenticated attackers to upload malicious files, potentially leading to full system compromise. According to the enterprise application security firm Onapsis, this vulnerability has the potential to expose over 10,000 SAP applications with internet-facing components to cyberattacks.
SAP (Systems, Applications, and Products in Data Processing) is a global leader in enterprise application software. Its NetWeaver platform supports various business-critical applications. Visual Composer within NetWeaver is a development environment that allows users to design and deploy applications with minimal coding effort.
The CVE-2025-31324 vulnerability exists in the Metadata Uploader function of the Visual Composer. Due to missing authorization checks, remote attackers can exploit this flaw to upload executable files such as JSP webshell files or Java classes directly to the server via crafted POST requests. Once uploaded, these files can be executed using simple GET requests, giving attackers control over the vulnerable system.
Exploitation can lead to data theft, installation of persistent backdoors, lateral movement within the corporate network, or even deployment of ransomware.
Post-compromise, attackers leveraged advanced tools including the Brute Ratel command-and-control framework and the Heaven’s Gate technique for memory manipulation and evasion. These tools facilitated persistent access, code injection into trusted Windows processes, and deployment of encrypted payloads, effectively bypassing many traditional endpoint defenses.
This vulnerability is already being exploited in the wild. Threat actors have been observed uploading web shells to compromised servers, allowing them to issue system commands and further infiltrate enterprise environments.
To mitigate this threat, organizations should immediately apply SAP’s patch detailed in Security Note 3594142.
Additionally, SAP customers are strongly advised to disable the deprecated Visual Composer tool, restrict external access to development-related URLs, centralize log monitoring, and inspect application directories—especially `j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/`—for unauthorized files.
Given the active exploitation and high risk posed by this vulnerability, immediate action is strongly recommended to protect business-critical SAP environments.
SAP Security Patch Day Security Notes:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
Futher information:
https://www.securityweek.com/sap-zero-day-possibly-exploited-by-initial-access-broker/
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions reflect their deep expertise and commitment to excellence in cybersecurity.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.