Updated April 28, 22:00 BST with number compromised, comment from Nextron.

SAP NetWeaver customers are coming under widespread attack, as threat actors exploit a maximum criticality CVSS 10 vulnerability that has now been allocated  CVE-2025-31324.

The vulnerability, which affects the platform’s visual composer, lets a remote and unauthenticated attacker upload malicious files directly to the system without authorisation. Gulp.

Analysts at security firm Nextron say as of April 28 that they over 1,100 compromised systems have had malicious webshells uploaded. These "predominantly belong to large enterprises and critical infrastructure operators" the company added.

(SAP describes Visual Composer as operating "on top of the SAP NetWeaver Portal, utilizing the portal's connector-framework interfaces to enable access to a range of data services, including SAP and third-party enterprise systems. In addition to accessing SAP Business Suite systems, users can access SAP NetWeaver Business Warehouse and any open/JDBC stored procedures...")

SAP vulnerability CVE-2025-31324

Attacks against NetWeaver (the application server platform on which many of SAP’s software offerings sit on top of) were first spotted by security firm ReliaQuest on April 22 and patched by SAP on April 24.

ReliaQuest said: "In April 2025, ReliaQuest investigated multiple customer incidents, affecting the technology integration platform SAP NetWeaver, that involved unauthorized file uploads and the execution of malicious files. We discovered that attackers had uploaded 'JSP webshells' into publicly accessible directories, a move reminiscent of a remote file inclusion (RFI) vulnerability. Several affected systems were already running the latest SAP service pack and had applied patches."

The vulnerability involved in these cases lies in the /developmentserver/metadatauploader endpoint, a feature designed to handle metadata files for application development and configuration in SAP applications within the NetWeaver environment. In theory, it’s supposed to streamline the transfer and processing of files like configuration data or serialized objects. But in the incidents we investigated, attackers found a way to exploit it. Via carefully crafted POST requests, the attackers uploaded malicious JSP webshell files and wrote them to the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory. Once there, these files could be executed remotely via simple GET requests, giving attackers full control and turning this endpoint into a launchpad for exploitation.– ReliaQuest

The $319 billion by market capitalisation enterprise resource planning (ERP) firm has hidden its security notes behind a registration page for customers. 

But the CVE description shows that “SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.”

ReliaQuest noted that SAP systems are “often used by government agencies, meaning that successful compromise of SAP vulnerabilities is likely to facilitate access to government-related networks and information [and] as SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk…”

Attack surface management firm WatchTowr said: “This isn’t a theoretical threat - it’s happening right now. watchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access. This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties. If you thought you had time, you don’t. SAP has issued a fix, hidden behind customer authentication walls as SAP Security Note 3594142. If you’re running an affected instance, patch it yesterday” CEO Benjamin Harris added.

Nextron's Florian Roth told The Stack that over 1,100 systems have been seen identified as compromised: "Not just HTTP 200 OKs, but active shells were confirmed. Initially, we thought the compromise was limited to systems hosting the two known webshells (helper.jsp, cache.jsp). However, when reviewing the Onapsis report and their open-source scanner, we noticed a third webshell (nzwcnktc.jsp) — a randomly named file.

"This suggests the presence of other unknown shells dropped by potentially different threat actors. We believe this is primarily initial access broker activity — attackers gaining access, planting shells or backdoors, and later selling that access in underground forums. Because of the random naming, external scanning is insufficient: you can only detect systems hosting the known webshell names. That’s why we strongly recommend running local compromise assessments [nd] scanning the system itself using tools like THOR Lite or THOR Cloud Lite (both free) These scans can detect webshells based on content, not just file names. We really just want to help orgs understand the exposure and detect compromises early."

The link has been copied!