Post

Critical SAP NetWeaver Zero-Day Exploit: What You Need to Know

Discover the critical zero-day vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, and its potential exploitation by initial access brokers. Learn how this flaw can compromise SAP environments and what steps have been taken to mitigate the risk.

Posted
By Tom Grant
2 min read
Critical SAP NetWeaver Zero-Day Exploit: What You Need to Know

TL;DR

A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver allows unauthenticated attackers to upload malicious files, potentially compromising thousands of internet-facing applications. SAP released a patch in April 2025, but the exploit highlights the ongoing risk to high-value targets.

Main Content

Critical Zero-Day Vulnerability in SAP NetWeaver

Researchers have identified a severe zero-day vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, with a CVSS score of 10/10. This flaw puts thousands of internet-facing applications at risk 1.

Vulnerability Details

The vulnerability stems from inadequate authorization checks in the SAP NetWeaver Visual Composer Metadata Uploader. This oversight allows unauthenticated attackers to upload and execute malicious files on the host system, leading to a full compromise of the SAP environment. SAP addressed this issue in their April 2025 Security Patch Day 2.

Discovery and Impact

Researchers from ReliaQuest uncovered this vulnerability while investigating multiple attacks, including those on fully patched systems. The discovery was detailed in their report, highlighting the critical nature of the flaw and the importance of applying the patch 3.

Exploitation Techniques

Attackers exploited the Metadata Uploader to deploy malicious JSP webshells using crafted POST requests, which were then executed via GET requests. These webshells, often named “helper.jsp” or “cache.jsp,” enabled remote command execution and persistent access. Tools like Brute Ratel and Heaven’s Gate were used to enhance stealth and control 4.

Potential Initial Access Broker Involvement

The delayed follow-up after initial access suggests the involvement of an initial access broker, who may be selling access to compromised systems on cybercriminal forums 5.

Expert Analysis

Experts noted similarities to past exploitation techniques, such as CVE-2017-9844, but assessed with high confidence that an unreported Remote File Inclusion (RFI) flaw in SAP NetWeaver is being used. This vulnerability exploits the /developmentserver/metadatauploader endpoint, allowing attackers to upload and execute malicious files remotely 6.

Additional Resources

For further insights, check:

References

  1. “CVE-2025-31324 Detail”. NVD. Retrieved 2025-04-25. ↩︎

  2. “April 2025 Security Patch Day”. SAP Support. Retrieved 2025-04-25. ↩︎

  3. “Threat Spotlight: ReliaQuest Uncovers Vulnerability Behind SAP NetWeaver Compromise”. ReliaQuest. Retrieved 2025-04-25. ↩︎

  4. “Brute Ratel: Cracked Copy”. Security Affairs. Retrieved 2025-04-25. ↩︎

  5. “Deutsche Bank Alleged Data Breach”. Security Affairs. Retrieved 2025-04-25. ↩︎

  6. Security Affairs. Retrieved 2025-04-25. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity sap netweaver zero-day vulnerability
This post is licensed under CC BY 4.0 by the author.