SAP NetWeaver 0-Day Vulnerability Exploited in the Wild to Deploy Webshells

SAP released an emergency out-of-band patch addressing CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver Visual Composer with the highest possible CVSS score of 10.0. 

This vulnerability stems from a missing authorization check in the Metadata Uploader component, allowing unauthenticated attackers to upload malicious executable files by sending specially crafted POST requests to the /developmentserver/metadatauploader endpoint.

Security analysts from ReliaQuest, Rapid7, and Onaps have verified that active exploitation is occurring in the wild, with indications that attacks might have started as early as March 2025.

ReliaQuest initially detected the activity during investigations of compromised SAP systems and notified SAP, who subsequently confirmed the vulnerability.

While the vulnerable Visual Composer component is not installed by default in NetWeaver’s standard configuration, Onapsis notes that it is “broadly enabled because it was a core component used by business process specialists to develop business application components without coding”. 

The component allows business users without programming skills to create web-based applications using a visual, drag-and-drop interface.

Exploitation Method and Impact

The vulnerability allows attackers to send unauthenticated POST requests to:

Attackers are exploiting this vulnerability to upload JSP webshells into publicly accessible directories, particularly targeting the path:

Commonly observed malicious files include helper.jsp and cache.jsp, though many webshells have been discovered with randomized 8-character names. 

These webshells permit attackers to execute arbitrary commands with the privileges of the <sid>adm operating system user, providing full access to all SAP resources, including system databases.

Post-exploitation activities show attackers deploying Brute Ratel and using the Heaven’s Gate technique for evasion, potentially leading to lateral movement across networks, ransomware deployment, and data exfiltration.

Organizations can quickly check if their systems are vulnerable by attempting to access:

If this URL is accessible without authentication, your system is likely vulnerable. Additionally, administrators can check system info (http://host:port/nwa/sysinfo) for the Software Component VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA 7.50).

Risk Factors	Details
Affected Products	SAP NetWeaver Visual Composer (VCFRAMEWORK 7.50) – Specifically the Metadata Uploader component in non-default configurations
Impact	– Unauthenticated RCE via webshell deployment- Full system compromise with <sid>adm privileges- Data exfiltration, ransomware deployment, and lateral movement- SAP service disruption
Exploit Prerequisites	– Visual Composer Framework enabled – Network access to /developmentserver/metadatauploader endpoint- No custom security policies blocking the vector
CVSS 3.1 Score	10.0 (Critical)

Mitigation Steps

SAP has released a security note to address this vulnerability. Organizations are advised to:

• Apply the emergency patch immediately without waiting for regular patch cycles
• If unable to patch, restrict access to the /developmentserver/metadatauploader endpoint
• Consider disabling Visual Composer entirely if not in use

• Scan for suspicious files in paths including:
• j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
• j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
• j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync

• Onapsis has released an open-source scanner available on GitHub to help detect vulnerable systems

Given the critical nature of this vulnerability and its active exploitation, organizations using SAP NetWeaver should treat this as a high-priority security issue requiring immediate attention.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.