Security pros warned that teams should patch a critical zero-day bug in SAP NetWeaver Visual Composer immediately after the Shadowserver Foundation found that more than 400 servers are exposed to potential attacks.Active exploitation of the vulnerability has already been confirmed, with risks including remote code execution and full system compromise. As of yesterday, 427 servers were still exposed, predominantly in the United States, India, Australia, Germany, and China.Jonathan Stross, an SAP security analyst at Pathlock, said the vulnerability — CVE-2025-31324 — could let attackers upload malicious files, execute arbitrary code, gain persistent remote access, escalate privileges, extract sensitive business data, disrupt operations, or even pivot into broader enterprise networks.“The severity of this flaw is underscored by a CVSS score of 10.0, making immediate action essential,” said Stross. “This vulnerability is so severe that SAP took the rare step of releasing the patch outside of its regular schedule.”News of the SAP NetWeaver bug originally ran In a ReliaQuest blog post April 22 and was updated April 25 in which the researchers said the SAP NetWeaver bug was initially suspected to be a remote file inclusion (RFI) issue.However, as reported by SC Media April 25, SAP confirmed it was an unrestricted file upload vulnerability, which lets attackers upload malicious files directly to the system without authorization. SAP then issued a patch, pointing out that attackers were uploading malicious webshells to these systems.From the get-go, security experts have expressed concern over this SAP NetWeaver vulnerability because so many Fortune 500 companies and large government agencies run SAP for their core business enterprise, resource and planning apps.“Given the widespread use of SAP in Fortune 500 companies and government agencies especially in supply chain, finance, and operations, this vulnerability poses a severe risk to business continuity, data integrity, and third-party integrations,” said Lorri Janssen-Anessi, director of external cybersecurity assessments at BluerVoyant. “Organizations are strongly urged to apply SAP's patch immediately.”Janssen-Anessi said teams should disable the deprecated Visual Composer component by turning off the development server alias. They should also do the following: Restrict access to development end points if any are actively being exploited. And, deploy web application firewalls and endpoint detection and response tools to monitor for webshells or unauthorized file uploads.“Last but not least, begin planning for migrations off of SAP NetWeaver, which reaches end-of-life in 2027,” said Janssen-Anessi. “It’s important to understand this is not a theoretical risk. Exploitation is already underway and delay increases exposure to operational disruption, potential data loss, espionage, or fraud to name just a few.”Domenico De Vitto, principal threat hunter at Ontinue, said owners of these SAP NetWeaver systems should mitigate the risk immediately by isolating these systems until patched, and also presume those systems, and any closely linked systems, are compromised. This includes internet-facing and internal systems, which are still accessible to insider threats and previously compromised internal devices.
“CVSS scores of 10 are quickly leveraged by attackers to gain a permanent foothold onto the system, typically deploying, or configuring, remote access tools to ensure continued access after the system is patched,” said De Vitto. “We would recommend a full forensic review of such systems to determine if, how, and when they may have been compromised, and also review internal systems that reside on the same network area, or are accessible from the NetWeaver systems.”
“CVSS scores of 10 are quickly leveraged by attackers to gain a permanent foothold onto the system, typically deploying, or configuring, remote access tools to ensure continued access after the system is patched,” said De Vitto. “We would recommend a full forensic review of such systems to determine if, how, and when they may have been compromised, and also review internal systems that reside on the same network area, or are accessible from the NetWeaver systems.”
