A critical vulnerability, CVE-2025-31324, in SAP’s NetWeaver platform, specifically within the Visual Composer’s Metadata Uploader component, is under active exploitation.
The flaw allows unauthenticated attackers to upload malicious files, such as webshells, via HTTP/HTTPS, potentially over the internet, by targeting the /developmentserver/metadatauploader URL with crafted POST requests. This grants attackers administrative access to the SAP system, enabling unauthorized file uploads, code execution, and full control over the system’s database and resources. SAP confirmed the zero-day attacks, first identified by ReliaQuest, and released an emergency patch on April 24, 2025, urging organizations to apply it and investigate for compromise
The attacks, observed in multiple customer environments since at least March 27, 2025, primarily target large enterprises, with a notable focus on manufacturing companies, according to Rapid7. Attackers deploy .jsp webshells, such as helper.jsp or randomly named files, into specific NetWeaver directories and use tools like Brute Ratel and techniques like Heaven’s Gate to establish command-and-control communication while evading detection. ReliaQuest suggests the attackers may be initial access brokers, selling access to other threat actors, given the delay between initial access and follow-up actions. The Shadowserver Foundation reports approximately 450 vulnerable SAP NetWeaver instances exposed online, predominantly in the US, India, Australia, China, and Europe.
To mitigate the risk, administrators must immediately apply SAP’s patch or restrict access to the Metadata Uploader component if patching is delayed. Disabling Visual Composer is recommended if it’s not in use. SAP’s security notes provide guidance on identifying indicators of compromise, such as suspicious .jsp, .java, or .class files in specific directories. Onapsis has released an open-source scanner to help organizations verify the presence of the vulnerable component, check patch status, and detect known webshells. If compromise is detected, organizations should expand investigations to assess broader network impacts and initiate cleanup to prevent further exploitation.