Photo credit: www.csoonline.com

Critical Zero-Day Vulnerability in SAP NetWeaver Under Active Exploitation

Since the beginning of this week, a significant zero-day vulnerability has been discovered in the Visual Composer element of the SAP NetWeaver application server. The urgency of the situation has prompted SAP to issue an out-of-band fix, now available through its support portal. Immediate application of this patch is crucial, especially for systems directly accessible on the internet.

“Attackers without authentication can exploit inherent functionalities to upload arbitrary files to an SAP NetWeaver instance, leading to complete remote code execution and a total takeover of the system,” stated Benjamin Harris, CEO of cybersecurity firm WatchTowr, during an interview. “This threat is not speculative; it is currently being exploited. Our team is witnessing active attacks as malicious actors deploy web shell backdoors on vulnerable systems to escalate their access,” he elaborated.

The specific vulnerability is identified as CVE-2025-31324, which has been assigned the highest severity rating of 10 on the CVSS scale. A corrective update should be applied as detailed in SAP Security Note 3594142 (authentication required). Should immediate application of the fix be unfeasible, customers are advised to restrict access to the vulnerable component, as outlined in SAP note 3596125. Insights from researchers at Onapsis highlight the critical nature of taking prompt action in response to this advisory here.

Source
www.csoonline.com