SAP customers are being urged to immediately patch a critical zero-day vulnerability in the Visual Composer component of SAP NetWeaver application server that threat actors are actively exploiting to deploy web shell backdoors.
The Vulnerability
Tracked as CVE-2025-31324, this unrestricted file upload vulnerability received the maximum severity score of 10 on the CVSS scale. The flaw affects the /developmentserver/metadatauploader endpoint in SAP NetWeaver, which is designed to handle metadata files for application development.
“Unauthenticated attackers can abuse built-in functionality to upload arbitrary files to an SAP NetWeaver instance, which means full remote code execution and total system compromise,” explained Benjamin Harris, CEO of WatchTowr.
Active Exploitation
Researchers at ReliaQuest first identified attacks targeting this vulnerability earlier this week. The attackers are deploying JSP web shells that provide persistent backdoor access, allowing them to:
- Execute arbitrary commands via GET requests
- Upload unauthorized files
- Exfiltrate sensitive data by placing files in publicly accessible directories
- Deploy additional payloads including Brute Ratel and Heaven’s Gate implants
Initial Access Broker Operations
The gap between web shell installation and follow-up activity—combined with varied post-compromise payloads—suggests an initial access broker operation. These brokers are likely selling access to compromised SAP servers to ransomware gangs and other threat actors.
A critical flaw in the attacker’s approach: the deployed web shells lack authentication, meaning anyone who discovers them can use them. This opens the door for ransomware gangs to find and exploit these backdoors directly, bypassing the need to purchase access from the broker.
Recommended Actions
Organizations should:
- Apply the patch immediately via SAP Security Note 3594142
- If patching isn’t immediately possible, disable access to the vulnerable component per SAP Note 3596125
- Check exposure by testing if https://[your-sap-server]/developmentserver/metadatauploader is accessible without authentication
- Review logs for unauthorized access attempts to the metadatauploader path
- Search for unexpected file uploads and suspicious outbound connections
Note: The good news is that Visual Composer is not enabled by default on SAP deployments, which limits exposure. However, organizations using this component should treat this as a P1 incident.
Source: CSO Online
