Introduction
A critical security vulnerability [3] [8], identified as CVE-2025-31324 [1] [5] [6] [8], has been discovered in SAP’s NetWeaver Visual Composer development server. This vulnerability poses significant risks due to its potential for exploitation by unauthorized actors, including ransomware groups and state-sponsored entities. The flaw allows for the upload of malicious files, leading to severe consequences such as Remote Code Execution (RCE).
Description
A critical vulnerability [2] [3] [4] [6] [8], tracked as CVE-2025-31324 [1] [5] [6] [8], affects SAP’s NetWeaver Visual Composer development server [6], specifically the Metadata Uploader component in version 7.50 [6]. This unauthenticated file upload vulnerability [2] [6] [7], resulting from a lack of proper authorization, has been assigned a severity score of 10.0 (CVSS v3.1) by SAP [6]. It allows attackers to upload malicious executable files [2] [6], posing significant risks to affected systems [2] [6], including .jsp web shells that can lead to Remote Code Execution (RCE). When exploited [3] [6] [7] [8], it enables attackers to execute arbitrary commands on the victim’s system with the privileges of the <sid>adm operating system user [3], potentially compromising sensitive business data and gaining access to the underlying database.
Evidence of exploitation has emerged rapidly [2] [6], with sophisticated threat actors [7], including ransomware groups such as BianLian and RansomEXX [6], actively targeting this vulnerability [6] [8]. Additionally, Chinese state-sponsored actors [4] [5], including Chaya_004, UNC5221 [2] [4] [8], and UNC5174 [2], have been linked to exploitation efforts. Reports indicate that exploitation has been ongoing since January 2025, with at least 581 SAP NetWeaver instances compromised [8], including those within critical infrastructure sectors in the UK [8], US [2] [4] [6] [8], and Saudi Arabia [4] [8]. The Shadowserver Foundation has noted that over 400 NetWeaver servers were exposed to the internet [6], and plans to attack an additional 1,800 domains have been identified. Private security firms like Onapsis and WatchTowr have confirmed instances of exploitation [6], including the uploading of web shell backdoors on unpatched systems [2] [6]. Attackers typically target the /developmentserver/metadatauploader URL endpoint to exploit this vulnerability. Notably, the deployment of a modular backdoor known as “PipeMagic” began just hours after global exploitation commenced.
CVE-2025-31324 was first detected by ReliaQuest on April 22 and publicly disclosed by SAP on April 24 [2] [6], alongside an emergency patch. It is often exploited in conjunction with another critical flaw, CVE-2025-42999 [1] [2] [6] [7], which involves insecure deserialization and has a CVSS v3.1 base score of 9.1. In response to these threats [1], SAP has issued critical patches under Security Notes 3594142 and 3604119 [1], addressing flaws that could enable RCE without authentication in the Visual Composer component [1]. On April 27 [2] [3] [4] [6] [7] [8], Onapsis [2] [6], in collaboration with Mandiant [6], released an open-source tool to help identify indicators of compromise on affected SAP systems [2] [6]. Administrators are strongly urged to promptly update their SAP NetWeaver servers to the latest support package to remediate this vulnerability. If immediate patching is not feasible [3], temporarily disabling the Visual Composer component is recommended to prevent exploitation [3], along with restricting access to metadata upload functions and monitoring systems for any suspicious activity [1]. It is crucial to avoid exposing NetWeaver instances directly to the public Internet due to significant security risks [3]. Adequate security measures [3], such as secured reverse proxies [3], VPNs [3], or WAF controls [3], should be implemented [3], especially in remote work or cloud-hosted environments [3].
On April 29 [2] [3] [4] [6] [7] [8], the US Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-31324 in its Known Exploited Vulnerabilities (KEV) catalog [2] [6] [7], mandating federal agencies to remediate by May 20, 2025 [7], under Binding Operational Directive 22-01 [7]. Organizations using SAP NetWeaver are urged to apply the emergency patch or disable the Visual Composer component and assess their systems for any signs of compromise [3]. Indicators of Compromise (IoC) should be checked to determine if systems have already been exploited [3], with researchers noting web shells with filenames like helper.jsp and cache.jsp [3]. Detection measures include scanning for unexpected files [3], analyzing access logs for suspicious POST requests [3], and checking specific directories for unauthorized files [3]. The Greenbone Enterprise Feed provides a detection test to help organizations identify vulnerable SAP NetWeaver instances for mitigation [3].
Conclusion
The discovery of CVE-2025-31324 highlights the critical need for organizations to remain vigilant against emerging cybersecurity threats. The rapid exploitation by both criminal and state-sponsored actors underscores the importance of timely patching and robust security measures. Organizations must prioritize updating their systems, implementing protective controls, and continuously monitoring for signs of compromise to mitigate the risks associated with such vulnerabilities. As cyber threats evolve, maintaining a proactive security posture will be essential in safeguarding sensitive data and infrastructure.
References
[1] https://socradar.io/may-2025-patch-tuesday-78-flaws-5-exploited-critical-sap-fixes/
[2] https://ciso2ciso.com/sap-netweaver-flaw-exploited-by-ransomware-groups-and-chinese-backed-hackers-source-www-infosecurity-magazine-com/
[3] https://www.greenbone.net/en/blog/cve-2025-31324-an-actively-exploited-flaw-affecting-sap-netweaver-visual-composer/
[4] https://www.halcyon.ai/blog/ransomware-operators-and-chinese-apts-exploiting-sap-netweaver-vulnerabilities
[5] https://www.techradar.com/pro/security/sap-netweaver-woes-worsen-as-ransomware-gangs-join-the-attack
[6] https://www.infosecurity-magazine.com/news/sap-netweaver-vulnerability/
[7] https://intruceptlabs.com/2025/05/critical-sap-netweaver-vulnerabilities-addressed-in-may-2025-patch-immediate-action-required/
[8] https://www.techzine.eu/news/security/131411/ransomware-groups-join-attacks-on-sap-netweaver/
