Active Exploitation of SAP Zero-Day Vulnerability (CVE-2025-31324, SAP Security Note 3594142)
Editors Note: This blog was updated with the latest information as of April 27, 2025 at 3:35 p.m. ET with Onapsis Research Labs releasing an open-source scanner for CVE-2025-31324. Please see below in the Open-Source Scanner for CVE-2025-31324 section for more information.
Onapsis Research Labs will continue to monitor for threat activity related to CVE-2025-31324 and will add further details to this blogpost as needed. Please bookmark for updates.
A live SAP threat intelligence briefing for CVE-2025-31324 and SAP Security Note 35894142 will also be held on April 29, 2025. Register.
Executive Summary
- A zero-day, CVSS 10.0 vulnerability is being actively exploited in the wild.
- CVE-2025-31324 affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in immediate full compromise of the targeted system.
- SAP Visual Composer is not installed by default, but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding.
- Evidence of active exploitation was noted by Onapsis Threat Intelligence and reported by multiple IR firms and security researchers.
- First public report was via a public blog posted by security research firm ReliaQuest.
- SAP released an emergency patch for this issue on April 24, 2025 at approximately 1:00 PM EST (US).
- Patching, mitigation, and – if exposed – compromise assessment should be critical priorities.
The Vulnerability
Affected Component: The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.xx (all SPS), specifically within the “developmentserver” part of the application. This component is part of the SAP NetWeaver Java stack. While not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its broad usefulness in assisting business process specialists with developing business components without the use of coding.
Root Cause: The fundamental issue is an Improper authentication and authorization check in the application. This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality.
Vulnerability Type: As the vulnerability relies on the fact that no authentication is enforced when accessing certain privileged functionality, the type of vulnerability can be associated with CWE ID: CWE-862 Missing Authorization or CWE-306: Missing Authentication for Critical Function.
Criticality: The vulnerability has been graded with a CVSS of 10, since it allows for a full system compromise, if successfully exploited.
Exploitation Method: The vulnerability is exploitable through HTTP/HTTPS, potentially over the Internet. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted POST requests.
Authentication Requirement: No authentication is required to exploit it, allowing unauthenticated agent or unauthenticated threat actors to interact with the vulnerable component.
Technical Impact: The exploitation allows arbitrary file upload. Threat actors can upload potentially malicious code files, most commonly webshells. Examples of filenames observed include “helper.jsp” and “cache.jsp”.
Attack Surface: While the SAP Visual Composer component is an optional component to install, Onapsis research indicates this component is installed and enabled in at least 50% of Java systems, with the research indicating the percentage could be as high as 70%.
Exploitation & Business Impact
| It is important to stress that at the time of posting, no publicly available exploit code has been published. However, be aware that active exploitation of this vulnerability continues to be observed in the wild. Onapsis Research Labs will continue to update this resource with further guidance and additional information as it is uncovered. |
Active Exploitation in the Wild
- In April 2025 The Onapsis Research Labs obtained evidence of active exploitation of this zero-day vulnerability, noted by the exclusive Onapsis Threat Intelligence. Onapsis observed this activity on Internet-facing SAP applications and was also contacted by SAP customers who shared insights into the topic. Concurrently, multiple Incident Response firms and security researchers were also reporting observing active exploitation.
- On April 22, 2025 ReliaQuest publicly reported observations. Their assessment, based on the fact that exploitation occurred on systems with recent patches, was that it likely involved the use of an unreported RFI issue against public SAP NetWeaver servers.
- On April 22, 2025, SAP acknowledged the issue, describing the symptom as “Unfamiliar files found in SAP NetWeaver Java file system”. This symptom was detailed in SAP KBA 3593336. The FAQ document (SAP Note 3596125, released April 24, 2025) confirmed that unfamiliar files like ‘.jsp’, ‘.java’, or ‘.class’ in specific paths like …\irj\root, …\irj\work, and …\irj\work\sync are common targets and should be considered malicious.
- On April 24, 2025, SAP officially identified the vulnerability as CVE-2025-31324, described as a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. SAP confirmed the root cause is an improper authorization check allowing an unauthenticated agent to upload potentially malicious executable binaries.
- [Under Active Development. Timeline will continue to be updated as needed.]
Exploitation Details
Exploitation happens via a POST request to the vulnerable component. Upon successful exploitation, threat actors are able to upload arbitrary files. Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in system context, with the privileges of the <sid>adm Operating System user, giving them full access to all SAP Resources.
| POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 Host: <REDACTED> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: x Content-Length: 714 <POST_BODY_REDACTED> |
Example of exploitation of the vulnerability
Business Impact
With <sid>adm access, the attacker gains unauthorized access to the underlying SAP Operating System using the user and privileges of the processes running in the SAP Application Server, implying full access to any SAP resource, including the SAP system database without any restrictions, permitting them to take several actions (e.g., shut down the SAP application or deploy ransomware).
Additionally, the system can be used as a foothold into a network for the attacker to pivot from this initial entry point and access other internal systems, taking advantage of the interconnected nature of SAP systems.
As always, the potential for immediate full compromise is a serious matter and one that should be prioritized by your team. It could lead to malicious and unauthorized business activity affecting critical SAP systems, including but not limited to modifying financial records, deploying ransomware, viewing personally identifiable information (PII), corrupting business data, and deleting or modifying logs, traces, and other actions that jeopardize essential business operations.
Furthermore, for organizations subject to strong regulatory requirements (e.g., US: SEC Rules on Cybersecurity; EU: NIS2) or industry compliance frameworks (e.g., Sarbanes-Oxley, NERC), the resulting deficiency in IT controls for such regulatory or compliance mandates could be significant and far reaching, including (but again not limited to) corporate liability for corrupted or modified data, exfiltration of sensitive and/or financial data, and the exposure of PII.
Patching for CVE-2025-31324, mitigation if you are unable to patch, and – if exposed – compromise assessment should all be critical priorities.
Assessing Exposure
In order to determine if your systems are vulnerable, you need to list the Components of the SAP System – for each Java system. If either VISUAL COMPOSER FRAMEWORK or VCFRAMEWORK is listed as installed, then the system has the targeted component.
The following screenshot illustrates the listing of components, filtered by the affected component, which is VCFRAMEWORK. This can be obtained by navigating to the homepage of the SAP NetWeaver Application Server Java → System Information → Components Info (tab).
Image 1: Example of a vulnerable component version.
You then need to manually review if the patch from SAP Security Note #3594142 has been applied or one of the mitigations in SAP KB #3593336 have been implemented. For Onapsis customers, please review the Onapsis Platform Coverage section in this article to see how this assessment can be done automatically across your entire landscape.
Indicators of Compromise
SAP has provided guidance on determining if systems have already been compromised in.SAP Note #3596125 – this note details the following steps:
Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files.
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
The presence of these files is an indication an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised and the appropriate incident response plan should be followed.
The following image illustrates a potential review of a given SAP Application:
| [root@sapserver irj]# pwd /usr/sap/<SID>/<INSTANCE>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj [root@sapserver irj]# find . -type f -name “*.jsp” -ls [root@sapserver irj]# find . -type f -name “*.java” -ls [root@sapserver irj]# find . -type f -name “*.class” -ls |
Observed Tactics
Different tactics have been observed by the Onapsis Research Labs, mapped to the MITRE ATT&CK Framework:
- T1190 (Exploit Public-Facing Application)
- T1505.003 (Server Software Component: Web Shell)
Additionally, the ReliaQuest research team provided the following IOCs to search across SAP Applications:
- Helper.jsp webshell: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
- Cache.jsp webshell: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
- Any files with .jsp, .class or .java extensions within the following directories should be considered malicious
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync
Remediation Steps
SAP has released the following notes to help customers protect themselves from this active threat:
- SAP Security Note #3594142 – Provides the hot fix support packages to help patch the vulnerability. Also points to SAP Note #3596125 and initial manual actions to identify evidence of prior exposure
- SAP Note #3596125 – FAQ for Security Note #3594142. Please note that this document is evolving, and SAP continues to update and evolve this FAQ and guidance.
- SAP Note #3593336 – Provides workaround mitigation steps for customers that cannot apply the patch
Onapsis Platform Coverage
Onapsis published comprehensive support for this vulnerability on April 24, 2025, the day SAP’s emergency patch was published.
- Onapsis Assess supports identifying all SAP systems with the vulnerable component.
- Run updated Module 459 “Check missing JAVA SAP Security Notes” to find the vulnerability and review findings for OKBID MNJ_3594142.
- Run new Module 1050 “[CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server)” to check if any of the workarounds detailed in SAP Note #3593336 have been implemented. If so, Assess reports a MEDIUM vulnerability (i.e., because you still have the vulnerable component, it is just not currently accessible) and returns issue SAP_105950.
- Onapsis Defend monitors and alerts on POST requests to an unpatched SAP Visual Composer component.
- Defend rule released April 24. ID is 74b6519b3821d7be9ac1d0c259c5d3c2.
- Defend update issued April 25 to include that rule in the shipped Incident Profile, “OP_Shipped_SOC_JAVA”.
- A Threat Intel Center article was published, providing both details on the vulnerability and exploitation and a central location to view all vulnerable systems and any attempts to interact with the vulnerable component.
Onapsis Assess customers can run an assessment scan against their entire landscape to identify systems with the vulnerable component installed and unpatched, with no workaround/mitigation applied. Ongoing automatic scanning can track your progress addressing the vulnerable systems and removing the risk of compromise in your environment.
While remediation work is underway, Onapsis Defend customers have automatic monitoring of interactions with the vulnerable component. Due to the reduced level of detail captured in POST requests in SAP system logging, Defend cannot detect the presence of a webshell or other payload in the POST request itself, but it can alert if a POST request is made to a vulnerable SAP Visual Composer component.
On April 25, 2025, Onapsis offered two live briefings providing details on the vulnerability, the active exploitation, and mitigation guidance. A third session is scheduled for April 29, 2025. Some of the most common questions we received have been listed below for your reference.
Ongoing guidance continues to be published for our clients within the Onapsis SAP Defenders Community. This guidance will be updated as new information continues to be uncovered about this threat and its impact. The Onapsis SAP Defenders Community provides a forum for Onapsis customers to learn ongoing threat intelligence, gain access to exclusive resources, interact directly with Onapsis experts, and collaborate with other SAP security professionals.
Open-Source Scanner for CVE-2025-31324
In order to support defenders with exposure and compromise assessments, Onapsis Research Labs (ORL) has created an opensource scanner allowing SAP customers to analyze their environment in a non-intrusive manner to identify if any of their systems are vulnerable to CVE-2025-31324, which continues to be actively exploited in the wild.
This tool will execute a non-intrusive remote scan via IP address to determine the following:
- Is the affected component present or not present?
- Is the affected component patched or not patched?
- Are the known webshells present or not present?
As this continues to be a developing situation, Onapsis Research Labs will continue updating this tool as more information is known. The tool includes functionality to check if there is a newer revision available for download as well to help make sure your teams are always using the most current version from the ORL.
Please note that this tool is provided from Onapsis licensed under the Apache License, Version 2.0. This tool is a contribution to the security, incident response, and SAP communities to aid in response to active exploitation of CVE-2025-31324. We consider the tool to be “under development” and will be iterated rapidly as more information becomes available either from Onapsis Research Labs or publicly. As always, this is a best-effort development and offered “as-is” with no warranty or liability. We strongly recommend complementing this tool usage with a thorough review of potentially vulnerable and compromised systems.
Download the tool from the Onapsis Github repository here.
Special Support for SAP Customers
To support qualified SAP customers that require investigation, threat remediation, and additional post compromise security monitoring, Onapsis is offering a complementary assessment and a 3-month free subscription to the Onapsis Platform. Please contact [email protected] for more information.
Frequently Asked Questions
Q: Which SAP NetWeaver Java System versions are affected by this vulnerability?
A: SAP has confirmed, in their FAQ SAP Note #3596125, that all 7.xx versions and all SPS are affected.
Q: If we have NetWeaver Java “7.x SPS x” with Visual Component framework installed, are we still vulnerable?
A: Yes – it is highly likely that those systems running the older version of NetWeaver are vulnerable. Additionally, it’s worth noting that SAP NetWeaver Application Server Java 7.40 or below versions are not supported and do not receive updates. For these older versions, you will have to implement one of the work around options detailed in SAP Note 3593336 if you are unable to upgrade (and subsequently patch) the system.
Q: Which component of the SAP NetWeaver Java System is impacted?
A: The SAP Visual Composer (VCFRAMEWORK) application
Q: If our SAP is not an Internet-facing environment, are we just worried about insider threats or are we still vulnerable from malicious attackers?
A: The only thing that will change if the SAP application is not Internet-facing is the frequency of exploitation. This vulnerability is CVSS 10.0 and should be considered critical and acted on immediately. Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability and tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.
Q: Was this vulnerability found by a researcher, or is it being exploited in the wild and some security services detected the actual attacks?
A: This vulnerability was identified based on the observations of active exploitation across SAP applications in the wild by several different incident response teams and security researchers. It was first publicly discussed in a blogpost by ReliaQuest.
Q: Are there any specific sectors or industries that malicious attackers are targeting based on the research so far?
A: We are gathering consolidated information related to the targeted industries, but at this stage, all critical infrastructure should be considered at high risk based on the level of threat activity we have seen. Due to the severity of the vulnerability (CVSS 10.0) and how it can be exploited over HTTP, all organizations should take steps to patch or mitigate immediately, in light of the threat activity we have seen over the past couple of days.
Q: Are there any specific operating systems platforms that are particularly vulnerable to ransomware?
A: In general, Microsoft Windows-based OSs are preferred targets for ransomware gangs because they have everything instrumented when it comes to ransomware. However, the threat of ransomware is not limited to just Windows, so it is best not to assume that if your SAP systems are running on a non-Windows OS you are immune from a ransomware attack.
Q: How can I check if the Visual Composer is installed?
A: You need to list the components of the SAP System. If “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK is installed, then the system is vulnerable, meaning you will have to apply the patch from SAP Security Note #3594142 or leverage one of the mitigations in SAP Note #3593336, which basically makes the component unreachable.
If you are an Onapsis customer, you can use Assess to scan all your Java systems. Assess will identify not only the systems that have the component but report an issue for any that have the component and are not secured against the vulnerability.
