SAP has issued an urgent out-of-band patch to combat CVE-2025-31324, a severe zero-day vulnerability discovered within its NetWeaver platform. This vulnerability has been actively targeted by threat actors, prompting professional advisories for rapid patch deployment.
"Organizations are strongly encouraged to apply patches as soon as possible," stated SAP representatives, emphasizing the critical nature of the situation.
"Organizations are strongly encouraged to apply patches as soon as possible,"
The vulnerability first came to light on April 22, when ReliaQuest reported findings related to exploit activity on SAP NetWeaver servers. Initially, it was uncertain whether the exploit represented a new threat or was linked to an older vulnerability, CVE-2017-9844, which can lead to denial-of-service (DoS) or arbitrary code execution.
"ReliaQuest reported their findings to SAP, and on April 24, SAP disclosed CVE-2025-31324 as a missing authorization check vulnerability, receiving a maximum CVSS score of 10.0," according to SAP's security announcements. Following this, on May 13, SAP released another critical update regarding a newly disclosed CVE associated with the NetWeaver servers.
Impact and Legacy
Impact and Legacy
Impact and Legacy
The vulnerabilities reported include CVE-2025-31324, which is an unauthenticated file upload vulnerability impacting the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation grants an attacker the ability to upload malicious files, potentially leading to code execution. "The flaw stems from missing authorization checks at the '/developmentserver/metadatauploader' endpoint," explained an SAP security analyst.
"The flaw stems from missing authorization checks at the '/developmentserver/metadatauploader' endpoint,"
ReliaQuest's investigation determined that the CVE-2025-31324 vulnerability was being exploited in the wild by threat actors who used it to upload web shells onto vulnerable host systems. These web shells facilitate malware deployment and allow for establishing communications with command and control (C2) servers.
Furthermore, CVE-2025-42999, a deserialization vulnerability identified by Onapsis researchers that affects the same platform component, has also raised concerns. "An authenticated attacker could exploit this vulnerability to achieve code execution on affected hosts," stated an Onapsis expert. The investigation into CVE-2025-31324 helped expose this second vulnerability, which Onapsis reported to SAP. It was subsequently patched during the May 2025 SAP Security Patch Day.
"An authenticated attacker could exploit this vulnerability to achieve code execution on affected hosts,"
Despite the swift action from SAP, the threat landscape remains concerning. "Exploitation of CVE-2025-31324 in the wild shows a troubling trend, with advanced persistent threat (APT) and ransomware groups taking advantage," warned cybersecurity experts.
"Exploitation of CVE-2025-31324 in the wild shows a troubling trend, with advanced persistent threat (APT) and ransomware groups taking advantage,"
Initially, there was no proof-of-concept (PoC) code publicly shared for CVE-2025-31324 when the vulnerability was announced. However, reports revealed that shortly after initial disclosures, several PoCs emerged on GitHub, raising alarms about potential widespread exploit attempts.
In light of these developments, SAP has confirmed that it has rolled out patches for affected versions of its NetWeaver software. However, the specifics regarding an extensive list of affected and patched versions, as highlighted in SAP security note #3594142, remain inaccessible to the public. "It is crucial for organizations to monitor these updates vigilantly to safeguard their systems," advised SAP officials.
"It is crucial for organizations to monitor these updates vigilantly to safeguard their systems,"
As the cybersecurity landscape evolves with threats like CVE-2025-31324, organizations must remain vigilant and proactive in their responses. Ensuring timely application of security patches is paramount in protecting sensitive data and maintaining operational integrity.
