Zero-Day: CVE-2025-31324

New Intelligence to Protect SAP from Ransomware and Data Breaches

On April 24, 2025, SAP released an emergency patch for a CVSS 10.0 zero-day vulnerability that affects SAP Visual Composer, an optional but broadly installed component present in 50-70% of SAP Java systems worldwide.

This vulnerability is actively being exploited in the wild, as noted by Onapsis Threat Intelligence and multiple IR firms and security researchers. It was first publicly reported by ReliaQuest.

Read our resource page to learn more about the threat and potential business impact of this critical zero-day vulnerability:

Details about the CVE-2025-31324 vulnerability.
Reporting on active exploitation in the wild and observations from Onapsis Research Labs.
How to determine if you’ve been exploited.
Recommendations on how to patch or mitigate this vulnerability in your essential SAP systems.

Our experts are hosting an SAP threat intelligence session to provide further information on how to assess exposure in your environment and plan any required response actions.

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Date: Tuesday April 29, 2025
Time: 9am ET – 3pm CEST

Frequently Asked Questions

If we have NetWeaver Java 7.0 with Visual Component Framework installed, are they still vulnerable?

Yes, it is very likely that version of NetWeaver Java is vulnerable. Additionally that version of NetWeaver Java is no longer supported by SAP and as a result SAP will not issue security patches to address this vulnerability on that version. Our recommendation is to follow one of the workaround steps described in SAP Note and have a plan to upgrade that system to a version of NetWeaver Java that is supported by SAP.

If our SAP is not an internet-facing environment, are we just worried about insider threats? Or are we still vulnerable from malicious attackers?

The only thing that will change if the SAP Application is not internet-facing is the frequency of exploitation. The vulnerability should still be considered critical and should be acted on immediately. Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability or tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.

Are there any specific sectors or industries that malicious attackers are targeting based on the research so far?

We are gathering consolidated information related to the targeted industries, but at this stage all critical infrastructure should be considered at high risk based on the level of threat activity Onapsis Research Labs have seen. Having said that, all organizations are at high risk, due to the nature of this vulnerability, the exploitation over HTTP, and the level of threat activity seen over the past couple of days.

Are there any specific OS platforms that are particularly vulnerable to ransomware?

In general, Windows-based OSs are a preferred target for Ransomware gangs, because they have everything instrumented when it comes to ransomware, but it is not limited to just windows. I would not assume that if your SAP systems are running on a non-windows OS you are immune from a ransomware attack.

How can I check if the Visual Composer is installed?

You need to list the Components of the SAP System. If “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK is installed, then the system is vulnerable, unless you apply the patch from SAP Security Note: #3594142 or the mitigations in SAP KB #3593336 (which are basically to make the component unreachable)

If you are an Onapsis customer, you can use Assess to scan all your JAVA systems. Assess will identify not only the systems that have the component, but report an issue for any that have the component and are not secured against the vulnerability.

Could SAP Solution Manager 7.2 be affected by this vulnerability?

It depends on whether the vulnerable component was included in the installation of that Solution Manager system. You will have to list the JAVA components of your Java SID, looking for the “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK component.

Is this bug reported by a researcher or is it being exploited in the wild and some DFIR services detect them?

The vulnerability was not reported by any security researcher. It is unknown who found it, but it was being widely exploited across SAP applications. It is important to stress that this is not the result of theoretical research in a lab, there is active and ongoing exploitation of this vulnerability in the wild.

Stay Ahead of Vulnerabilities with Onapsis Research Labs

Cybersecurity demands proactive measures, and protecting your SAP systems from the vulnerabilities being exploited is a critical endeavor. Don’t hesitate—reach out to us today to start strengthening your SAP environment’s security. Together, we can ensure your systems remain resilient and safeguarded against evolving threats.

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Anatomy of an Attack: C2 Incident on SAP

Your S/4HANA Cloud Journey