SAP NetWeaver Flaw Scores 10.0 Severity as Hackers Deploy Web Shells

A critical vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer puts systems at risk of full compromise. Learn how to check if your SAP Java systems are affected and the immediate steps to take.

A serious security vulnerability, identified as CVE-2025-31324, was discovered in SAP NetWeaver’s Visual Composer development server. This critical issue, scoring a perfect 10.0 in severity, stems from a missing check that should verify if a user has the correct permissions and is being actively exploited, reveals a report from Onapsis Threat Intelligence.

Research reveals that the flaw is active on between 50% and 70% of existing SAP NetWeaver Application Server Java systems, even though it’s not automatically installed.

Reportedly, the vulnerability, first documented by ReliaQuest, exists in the “developmentserver” part of the SAP Visual Composer, a component of SAP NetWeaver 7.xx, designed to create business tools without writing code.

The problem occurs because the system doesn’t properly check if someone accessing the Metadata Uploader feature is actually allowed to do so. This lack of proper authentication and authorization allows unlogged users to access powerful functions.

On April 22nd, ReliaQuest observed suspicious activity on patched SAP NetWeaver servers, suggesting attackers might have been using a different, unknown vulnerability. On the same day, SAP acknowledged unusual files being found on SAP NetWeaver Java systems, as described in their knowledge base article SAP KBA 3593336. On April 24th, SAP released a FAQ document (SAP Note 3596125) confirming that files with extensions like ‘.jsp’, ‘.java’, or ‘.class’ found in specific folders like …\irj\root, …\irj\work, and …\irj\work\sync are likely malicious.

Finally, on April 24th, SAP officially announced CVE-2025-31324, clearly stating it was due to a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. They confirmed that the root cause is a lack of proper permission checks, allowing unauthorized individuals to upload dangerous executable files and an out-of-band emergency NetWeaver update has been released.

This flaw, classified as a Missing Authorization issue (CWE-862) or Missing Authentication for Critical Function (CWE-306), poses a significant risk of system takeover if exploited, which is why it has earned the highest severity score.

It can be remotely exploited using standard web communication methods (HTTP/HTTPS). Security experts have observed that attackers are targeting a specific web address: /developmentserver/metadatauploader, by sending specially crafted requests and since no login or authentication is needed to carry out an attack, anyone, even without an account, could interact with the system’s vulnerable part and upload any file.

According to Onapsis’s blog post, malicious code files called webshells titled “helper.jsp” or “cache.jsp” are already being uploaded, allowing attackers to execute commands with high-level permissions as software administrators (<sid>adm) and obtaining full control over SAP resources.

“Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in the system context, with the privileges of the adm Operating System user, giving them full access to all SAP Resources.”

Juan Perez-Etchegoyen – CTO at Onapsis

SAP urges customers to promptly assess their risk by checking for Java systems, the presence and version of the VCFRAMEWORK component (especially if older than 7.5 or specifically 7.0 with a support package below 16), as the vulnerable component might not be present in basic Java stack or default Solution Manager installations. Implementing the official fix is the only solution to mitigate this risk.

Benjamin Harris, CEO of Attack Surface Management firm watchTowr, warned that unauthenticated attackers are actively exploiting a vulnerability in SAP NetWeaver to upload arbitrary files, leading to full system compromise.

“This isn’t theoretical, it’s happening now,” Harris said, noting that attackers are planting web shell backdoors to deepen their access. He urged immediate patching via SAP Security Note 3594142, emphasizing, “If you thought you had time, you don’t.” Harris added that watchTowr clients were alerted to exposures within 12 hours, thanks to the platform’s rapid detection capabilities.