Active exploitation of significant flaw detected in SAP NetWeaver system
In a significant cybersecurity development, a critical vulnerability known as CVE-2025-31324 has been discovered in SAP NetWeaver Visual Composer. This vulnerability, which allows unauthenticated attackers to upload and execute arbitrary files on affected servers, is being actively exploited in the wild, posing a significant threat to government networks.
Researchers from Reliaquest first disclosed the vulnerability to SAP after discovering attackers uploading JSP webshells into publicly accessible directories. The severity score of the vulnerability is 10, underscoring its critical nature.
The Cybersecurity and Infrastructure Security Agency (CISA) is tracking the CVE as part of its standard process and has added it to its Known Exploited Vulnerabilities (KEV) catalog, marking it as a verified and ongoing threat due to widespread abuse. Security solutions such as Darktrace have observed exploitation attempts before and after public disclosure, indicating persistent targeting of vulnerable SAP NetWeaver systems.
The vulnerability allows an unauthenticated user to upload malicious executable binaries, potentially leading to remote code execution, data exfiltration, and lateral movement within enterprise and likely government networks. The implications are severe, as government networks often store highly sensitive data, including citizen information and state secrets, making them prime targets for attackers exploiting this vulnerability.
Onapsis Research Labs has identified over 10,000 internet-facing SAP applications at risk of breach due to the vulnerability. However, Onapsis estimates that only 50%-70% of these apps have the vulnerable component enabled and are likely already compromised. The vulnerable component is not enabled by default, so the exact number of affected systems is currently unknown.
Successful exploitation can disrupt core government processes managed by SAP systems, such as finance, HR, and logistics. Breaches involving government data can lead to regulatory non-compliance and severe reputational damage for the affected agencies.
In response to the vulnerability, SAP has issued an emergency patch for CVE-2025-31324, which was released on Thursday. A patch for the vulnerability will be available on April 30. SAP technology is widespread among government agencies, making it crucial for them to apply the patch as soon as possible to prevent compromise.
The Cybersecurity and Infrastructure Security Agency is working with the vendor and other partners to determine whether additional communications are necessary. In the meantime, agencies are advised to monitor their SAP systems closely for signs of exploitation and to apply the patch as soon as it becomes available.
In conclusion, CVE-2025-31324 is a critical vulnerability that is being actively exploited and poses a significant threat to government networks. Immediate patching and mitigation are strongly recommended to prevent compromise.
References:
[1] Onapsis Research Labs. (2025). Critical Unrestricted File Upload Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324). Retrieved from https://www.onapsis.com/blog/critical-unrestricted-file-upload-vulnerability-in-sap-netweaver-visual-composer-cve-2025-31324
[2] ReliaQuest. (2025). Critical Unrestricted File Upload Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324). Retrieved from https://www.reliaquest.com/resources/blog/critical-unrestricted-file-upload-vulnerability-in-sap-netweaver-visual-composer-cve-2025-31324
[3] Darktrace. (2025). Unrestricted File Upload Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324). Retrieved from https://www.darktrace.com/threat-research/unrestricted-file-upload-vulnerability-in-sap-netweaver-visual-composer-cve-2025-31324/
[4] CISA. (2025). Known Exploited Vulnerability CVE-2025-31324. Retrieved from https://www.cisa.gov/uscert/ncas/alerts/aa25-213a
- The discovery of the critical vulnerability in SAP NetWeaver Visual Composer, CVE-2025-31324, highlights the need for increased vigilance in cybersecurity, particularly with regards to privacy and data protection, as the vulnerability can be exploited for data exfiltration and remote code execution.
- In our quest to safeguard technology against such threats, it is essential to stay updated with the latest cybersecurity developments, such as the ongoing exploitation of CVE-2025-31324, and to deploy necessary security solutions and patches promptly in government networks and beyond.
