Ddos 
A critical security vulnerability in SAP NetWeaver is under active exploitation, posing a significant threat to organizations worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities Catalog, emphasizing the urgency for immediate action.
Tracked as CVE-2025-31324 and assigned a maximum severity score of 10.0, the vulnerability is an unrestricted file upload issue within the SAP NetWeaver Visual Composer’s Metadata Uploader component. This flaw allows attackers to upload malicious executable files without needing to authenticate, which can lead to remote code execution and complete compromise of affected systems.
Security researchers at ReliaQuest have reported active exploitation of this vulnerability in the wild. Attackers are leveraging the /developmentserver/metadatauploader endpoint to upload JSP webshells to publicly accessible directories. This enables them to execute commands from a browser, manage files, and perform other malicious actions.
In some cases, attackers have been observed deploying sophisticated post-exploitation tools and techniques, including the ‘Brute Ratel’ red team tool, the ‘Heaven’s Gate’ security bypassing technique, and the injection of MSBuild-compiled code into dllhost.exe for stealth.
Reports indicate that the exploited vulnerability is a zero-day, meaning it was exploited before a patch was available, and that compromised systems were fully patched. Furthermore, a significant number of SAP NetWeaver servers are exposed to the internet, creating a large attack surface. The Shadowserver Foundation has identified 427 exposed servers, highlighting the potential for severe repercussions. Vulnerable systems are located across the globe, with a high concentration in the United States.
To address this critical risk, SAP has released out-of-band emergency updates. Applying these updates according to the vendor’s instructions is the primary recommendation.
Organizations unable to apply the patch immediately should implement the following mitigations:
- Restrict access to the
/developmentserver/metadatauploaderendpoint. - Disable Visual Composer if it is not being used.
- Forward logs to a Security Information and Event Management (SIEM) system and scan for unauthorized files in the servlet path.
A scanner tool for CVE-2025-31324 is also available to help organizations identify vulnerable systems within their environments.
Federal Civilian Executive Branch (FCEB) agencies are strongly urged to apply the necessary patches for SAP NetWeaver by May 20, 2025.
Related Posts:
- CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks
- CVE-2024-47578 (CVSS 9.1): SAP Issues Critical Patch for NetWeaver AS for JAVA
- A total of 10 Security in SAP was patched
- Critical SAP Flaws Revealed: CVE-2025-0070 and CVE-2025-0066 with CVSS 9.9 Demand Immediate Action
- SAP Patches Critical BusinessObjects Vulnerability with October Security Updates