Maximum severity vulnerability puts over 1200 SAP NetWeaver servers at risk of hijacking

News
By published

A workaround and a patch are already available

SAP Building
Image Credit: SAP (Image credit: SAP)
  • SAP disclosed a 10/10 flaw in NetWeaver Visual Composer
  • The bug allows threat actors to upload malware
  • Researchers claim up to 1,200 instances are vulnerable

More than 1,200 SAP instances are at risk of being hijacked, researchers are saying, as a critical vulnerability was found being abused in the wild. Earlier this week, SAP said it found an unauthenticated file upload vulnerability in NetWeaver Visual Composer’s Metadata Uploader component.

Visual Composer is a development tool that allows users to build web-based business applications without writing code. It’s mostly used to create dashboards, forms, and interactive reports. The Metadata Uploader, on the other hand, is a tool for importing external data models (metadata) into the Visual Composer design environment. This allows developers to connect to remote data sources (web services, databases, or SAP systems).

The vulnerability SAP found is now tracked as CVE-2025-31324. It carries the maximum severity score (10/10), and stems from the fact that the uploader is not protected with proper authorization, allowing unauthenticated actors to upload malicious executables.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Fortune 500 at risk

When it discovered the bug, SAP first released a workaround, and then in late April, a patch.

Now, users are advised to apply it as soon as possible, since multiple cybersecurity firms confirmed the flaw being abused in the wild. According to BleepingComputer, ReliaQuest, watchTowr, and Onapsis, are just some of the firms that observed the bug being exploited in attacks in which threat actors were dropping web shells on vulnerable servers.

SAP, however, told BleepingComputer that it is not aware of any attacks that impacted customer data or systems.

The jury is still out on how many organizations are actually vulnerable. While the Shadowserver Foundation claims 427 servers are exposed on the internet, Onyphe says there are 1,284 instances, 474 of which are already compromised.

"Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised," Onyphe CTO Patrice Auffret told BleepingComputer.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.