400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild

Shadow Servers have identified 454 SAP NetWeaver systems vulnerable to a critical zero-day vulnerability that has been actively exploited in the wild.

The vulnerability, tracked as CVE-2025-31324, allows unauthenticated attackers to upload malicious files to affected systems, potentially leading to complete system compromise.

The critical flaw, which carries the maximum CVSS severity score of 10.0, affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Discovered in April 2025 by ReliaQuest security researchers during incident response activities, the vulnerability has already been weaponized in attacks against organizations running even fully-patched SAP installations.

The vulnerability specifically targets the “/developmentserver/metadatauploader” endpoint, which lacks proper authorization checks, allowing attackers to upload JSP webshells into publicly accessible directories.

Attack Methodology

The exploitation technique leverages a missing authorization check in the Metadata Uploader component, enabling attackers to upload potentially malicious executable files without authentication. This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type).

Security researchers note that in some observed attacks, threat actors employed sophisticated post-exploitation tools, including the Brute Ratel C4 framework, and evasion techniques such as Heaven’s Gate to bypass endpoint protection measures.

The vulnerability affects SAP NetWeaver Visual Composer, which is not installed by default but is present in approximately 50-70% of Java systems, according to research from Onapsis. Once compromised, affected systems can be used to deploy additional malware, establish persistent access, and exfiltrate sensitive data.

“The vulnerability is particularly dangerous because it requires no authentication, is relatively straightforward to execute, requires no user interaction, and potentially gives attackers full control over the affected system,” Vahagn Vardanian of RedRays explained.

Mitigations

SAP released an emergency patch on April 24, 2025, through Security Note 3594142, outside of its regular patch cycle. Organizations are strongly encouraged to apply this patch immediately or implement the temporary workaround described in SAP Note 3593336 if patching is not immediately feasible.

To determine if your systems are vulnerable:

• Test if the URL path “/developmentserver/metadatauploader” is accessible without authentication
• Review web server logs for unauthorized access attempts to this endpoint
• Check for unexpected file uploads in web server logs
• Monitor for unauthorized outbound connections from SAP systems

Security experts recommend treating this as a highest-priority security update and implementing the provided patches as soon as possible. For organizations unable to patch immediately, implementing the recommended workarounds and enhanced monitoring is crucial to minimize risk exposure.

Organizations using SAP systems are advised to implement proper security monitoring and maintain regular patching schedules to minimize future exposure to similar threats.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post 400+ SAP NetWeaver Devices Vulnerable to 0-Day Attacks that Exploited in the Wild appeared first on Cyber Security News.