A critical zero-day vulnerability in SAP NetWeaver is being actively exploited, and hundreds of systems are still exposed—even after a patch was released last week. If your organization runs SAP in any capacity, this is one you’ll want to track closely.
The flaw, now identified as CVE-2025-31324, carries a CVSS score of 10/10 and involves a missing authorization check in the Visual Composer Metadata Uploader component. The vulnerability allows attackers to upload and execute malicious files—a direct path to remote code execution and full system compromise.
SAP issued a patch on April 24 via Security Note 3594142 and updated its April 2025 advisory. But according to data from The Shadowserver Foundation, as of April 28, 427 SAP NetWeaver instances remain vulnerable and internet-exposed.
Here’s the current breakdown by country:
- 132 in the U.S.
- 45 in India
- 38 in Australia
- 29 in Germany
- 26 in China
ReliaQuest initially discovered the flaw during an investigation into active intrusions targeting SAP environments. Attackers have already been seen dropping JSP webshells into root directories, then using them for payload deployment, code execution, and lateral movement within enterprise networks.
Onapsis, which monitors SAP threats closely, noted that while more than 10,000 SAP systems are accessible over the internet, the vulnerable Metadata Uploader is not enabled by default. Still, for those that do have it exposed, the risk is significant.
Successful exploitation gives attackers full control over SAP systems, potentially enabling espionage, sabotage, or financial fraud by manipulating critical business processes.
The ongoing exploitation—and the fact that so many systems are still unpatched—makes this one of the most urgent SAP vulnerabilities we’ve seen in recent months. If SAP is anywhere in your stack, this is worth double-checking.
Leave a Reply