Over 400 SAP NetWeaver Systems at Risk

Recent cybersecurity research has uncovered a critical vulnerability in SAP NetWeaver systems. According to analysts from Shadowserver, 454 SAP NetWeaver devices are currently at risk. This vulnerability is already being actively exploited in real-world attacks.

The vulnerability, registered as CVE-2025-31324, was identified in the Metadata Uploader component of the SAP NetWeaver Visual Composer platform. It allows attackers to upload malicious files without authentication, potentially gaining full control over the system.

How Does the Vulnerability Work?

  • Attackers can access the SAP server’s /developmentserver/metadatauploader endpoint without authentication to upload malicious files.
  • These files can be used to compromise the system, steal data, or establish persistent access points on the server.
  • In some cases, attackers have employed advanced exploitation tools like Brute Ratel C4 and bypass techniques such as Heaven’s Gate.

Why Is This Vulnerability Dangerous?

  • No password or authentication is required.
  • No user interaction (e.g., clicking a link) is needed.
  • The attack is technically straightforward to execute.
  • Full system control is achievable.

Although the SAP NetWeaver Visual Composer module is not installed by default, it is present in 50–70% of Java-based SAP systems, putting many organizations at risk.

SAP’s Response

SAP urgently released a patch on April 24, 2025, through Security Note 3594142.
If immediate patching is not feasible, temporary protective measures outlined in SAP Note 3593336 can be implemented.

How to Determine If Your System Is at Risk?

  1. Check if the /developmentserver/metadatauploader endpoint is accessible. If it opens without authentication, your system is vulnerable.
  2. Review web server logs for signs of unauthorized access or attempts to upload malicious files.
  3. Monitor SAP systems for unusual outbound internet connections.

Expert Recommendations

  • Install SAP patches immediately.
  • If patching is not possible, implement temporary protective measures and enhance monitoring.
  • Regularly conduct vulnerability scans and security assessments on your SAP systems.

This vulnerability is highly severe and poses a significant threat to organizations. Immediate technical measures and monitoring are essential to protect systems. Every minute of delay could work in favor of attackers.