Full Report
Researchers attribute the attacks to an initial access broker who is exploiting the 10.0 critical vulnerability. The post SAP zero-day vulnerability under widespread active exploitation appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical SAP NetWeaver Unrestricted File Upload Zero-Day
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: Unrestricted Upload of File with Dangerous Type (Implied by functionality description)
## Affected Systems
- Products: SAP NetWeaver, specifically the SAP Visual Composer component.
- Versions: Specific vulnerable versions are not listed, but the vulnerability affects systems where SAP Visual Composer is enabled.
- Configurations: Affects internet-facing SAP NetWeaver Application Servers Java instances where the Visual Composer component is available/enabled. Estimates suggest 50-70% of internet-facing instances may be affected.
## Vulnerability Description
This is a critical zero-day flaw within the SAP Visual Composer component of SAP NetWeaver. The vulnerability is an unrestricted file upload, allowing unauthenticated remote attackers to directly upload arbitrary files to the affected system without authorization. Successful exploitation leads to the installation of web shell backdoors and full Remote Code Execution (RCE), resulting in total system compromise.
## Exploitation
- Status: **Exploited in the wild** (Widespread active exploitation observed by researchers at the time of reporting).
- Complexity: Low (Unauthenticated remote attack).
- Attack Vector: Network
## Impact
- Confidentiality: High (Allows full system compromise, leading to data exfiltration).
- Integrity: High (Allows attackers to alter system files and install persistent backdoors).
- Availability: High (Can lead to disruption or system shutdown following a successful compromise).
## Remediation
### Patches
- SAP issued an **emergency patch** for the vulnerability on Thursday (following disclosure Tuesday). Access to the specific security note requires SAP customer login credentials.
### Workarounds
- No specific workarounds were detailed in the summary, but given the critical nature and active exploitation, immediate patching is urged. Disabling or restricting access to the SAP Visual Composer component might serve as a temporary measure if patching is delayed.
## Detection
- **Indicators of Compromise (IoCs):** Presence of unauthorized web shell backdoors on SAP NetWeaver systems.
- **Detection Methods and Tools:** Threat hunters and security researchers are actively observing exploitation attempts. Organizations should monitor network traffic and file system changes on SAP instances for signs of unauthorized uploads or command execution associated with the Visual Composer component.
## References
- Vendor Advisory: [support dot sap dot com/en/my-support/knowledge-base/security-notes-news/april-2025 dot html] (Requires login)
- Research: [reliaquest dot com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/]
- Research/Analysis: [onapsis dot com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/]