TL;DR:

• Critical SAP NetWeaver zero-day (CVE-2025-31324) is being actively exploited. Over 10,000 apps at risk. Attackers gain full control.
• SAP has updated its April 2025 Security Patch Day advisory to include a security note addressing the NetWeaver vulnerability.

There’s a new zero-day vulnerability that’s making waves, and it’s potentially impacting over 10,000 internet-facing SAP applications. I’m going to break it all down simply, so you can quickly understand what’s happening, what it means for you, and how you can stay ahead of it.

This is a serious vulnerability, now tracked as CVE-2025-31324 with a CVSS score of 10/10 (the highest you can get), has been discovered in SAP NetWeaver.

Here’s the nutshell version:

• The flaw lives in the Visual Composer Metadata Uploader component.
• It’s due to missing authorization checks — basically, anyone without proper credentials can upload malicious executable binaries.
• These uploads can then be executed, giving an attacker full control of the host system.

Think espionage, sabotage, fraud — it’s that serious.

How Was It Discovered?

Our friends at ReliaQuest stumbled onto this while investigating multiple intrusions — even on systems that were fully patched.

Initially, they thought the activity was linked to an older vulnerability (CVE-2017-9844), but it turned out attackers were using crafted POST requests to upload JSP webshells and then using simple GET requests to execute them.

Once the attackers had a foothold, they:

• Deployed more payloads
• Ran remote code execution (RCE)
• Moved laterally inside networks

Key tools spotted during these attacks:

• Brute Ratel: A powerful C2 framework for code injection, privilege escalation, and credential theft.
• Heaven’s Gate: A technique that sneaks 32-bit processes into 64-bit mode for stealthy execution.

Who’s Behind It?

ReliaQuest believes, based on the slow movement after initial access, that these attackers may be initial access brokers.

If you’re not familiar, initial access brokers are threat actors who specialize in breaking into systems, then selling that access to others. It’s a growing market in the cybercrime world.

Interestingly, they found no chatter about this vulnerability in cybercrime forums, which hints that this might be a brand-new, unreported Remote File Inclusion (RFI) flaw.

Why You Should Care

According to Onapsis, a leading SAP security firm, this vulnerability could expose thousands of critical SAP applications worldwide — including ones in Cloud / RISE with SAP environments and on-premise deployments.

In practical terms:

• Attackers could seize full control of your SAP systems.
• They could manipulate your critical business processes.
• They could steal or sabotage sensitive company data.

Even if your SAP setup is cloud-based or fully patched, you may still be at risk.