A critical security flaw in SAP NetWeaver Application Server has left over 1,200 servers exposed to potential attacks, with threat actors actively exploiting the vulnerability to gain unauthorized access and execute arbitrary code.
The Vulnerability: CVE-2025-31324
The flaw, identified as CVE-2025-31324, is an unauthenticated file upload vulnerability located in the Metadata Uploader component of SAP NetWeaver Visual Composer. This vulnerability allows attackers to upload malicious executable files without authentication, leading to remote code execution and full system compromise.
Security firms ReliaQuest and watchTowr have reported active exploitation of this vulnerability. Attackers are uploading JSP web shells to publicly accessible directories, enabling them to execute commands, manage files, and maintain persistent access to compromised systems.
Scope of Exposure
According to a recent report by BleepingComputer, over 1,200 SAP NetWeaver servers remain unpatched and vulnerable to this flaw. These servers are primarily running outdated versions of the software, lacking the necessary security updates to mitigate the risk.
The widespread use of SAP NetWeaver in enterprise environments amplifies the potential impact of this vulnerability, making it imperative for organizations to assess and secure their systems promptly.
SAP’s Response and Recommendations
SAP has released an out-of-band emergency update to address CVE-2025-31324. The company urges all customers to apply the patch immediately, even if they have already installed the regular April 2025 security updates, as this fix was issued subsequently.
Organizations are advised to review their SAP NetWeaver installations, ensure that all components are up to date, and monitor their systems for any signs of unauthorized access or unusual activity.
Conclusion
The active exploitation of CVE-2025-31324 underscores the critical importance of timely patch management and system monitoring in safeguarding enterprise applications. Organizations utilizing SAP NetWeaver should take immediate action to apply the necessary security updates and mitigate the risk posed by this vulnerability.
For more detailed information and guidance, refer to SAP’s official security advisory and consult with cybersecurity professionals to ensure comprehensive protection against potential threats.