SAP’s May 2025 Security Patch Day includes an urgent update to the previously released emergency patch for a critical zero-day vulnerability (CVE-2025-31324) that continues to see active exploitation across multiple industries globally.
The release includes 16 new Security Notes and 2 updates to previously released notes, with special emphasis on addressing the severe NetWeaver vulnerability.
Critical SAP NetWeaver 0-Day RCE Vulnerability
The critical vulnerability, rated with the maximum possible CVSS score of 10.0, affects SAP NetWeaver’s Visual Composer development server component (VCFRAMEWORK 7.50).
.png
)
First reported by security research firm ReliaQuest on April 22, 2025, the flaw prompted SAP to issue an emergency patch on April 24. Today’s update reinforces protection against evolving exploitation techniques.
The root cause of the issue is an improper authentication and authorization check in the application. This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality.
Security researchers have determined that exploitation began as early as January 20, 2025, with real exploitation attempts starting around February 10.
This vulnerability is particularly dangerous because it allows unauthenticated remote attackers to upload arbitrary files, including malicious executables, resulting in complete system compromise.
“While initially thought to be limited to arbitrary file upload, further investigation has identified that this is actually remote command execution (RCE),” notes Onapsis in their updated advisory.
Attackers have been observed uploading JSP webshells with names like “helper.jsp” and “cache.jsp” to facilitate persistent access.
The vulnerability’s impact spans numerous sectors, with Onapsis and Mandiant confirming “exploitation across industries and geographies, including confirmed compromises at energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail and government organizations”.
Although SAP Visual Composer is not installed by default, research indicates it is “installed and enabled in at least 50% of Java systems, with the research indicating the percentage could be as high as 70%”.
This widespread deployment has created a substantial attack surface. As of May 5, 2025, security firms have observed “a second wave of attacks staged by follow-on, opportunistic threat actors who are leveraging previously established webshells from the first zero-day attack“.
More recent attacks have been linked to a Chinese threat actor tracked as Chaya_004.
| Risk Factors | Details |
| Affected Products | SAP NetWeaver Visual Composer development server (VCFRAMEWORK 7.50) |
| Impact | Remote Code Execution (RCE), arbitrary file upload, full system compromise |
| Exploit Prerequisites | Network access to vulnerable endpointNo authentication required |
| CVSS 3.1 Score | 10.0 (Critical) |
Organizations running SAP NetWeaver are strongly advised to:
- Apply the updated patch (SAP Note #3594142) immediately.
- Implement workarounds detailed in SAP Note #3593336 if immediate patching isn’t possible.
- Conduct compromise assessments for exposed systems.
With the vulnerability granting attackers “<sid>adm access” to underlying SAP operating systems, compromised environments face risks of data theft, financial record manipulation, ransomware deployment, and potential regulatory compliance violations.
As SAP continues monitoring this situation, customers are urged to prioritize this update above all others in their May patching cycle.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
