Active exploitation against a zero-day vulnerability in SAP systems in the wild.
ON DEMAND
Evidence of active attacks against this vulnerability has been observed by ReliaQuest, Onapsis Threat Intelligence, and confirmed by multiple IR firms in recent active investigations.
SAP published an emergency security patch on April 24, 2025 to address this issue. The vulnerability is of critical severity (CVSS 10), and affects the SAP Visual Composer component of SAP Java systems, which is not enabled by default.
Critical Exploit Details:
- Unauthenticated threat actors can exploit CVE-2025-31324.
- Attackers can gain full control of vulnerable SAP systems.
- Risks include unrestricted access to SAP business data and processes, ransomware deployment, and lateral movement.
- Continued exploitation is expected against vulnerable internet-facing SAP Java systems.
Unauthenticated threat actors can exploit the vulnerability to gain full control of vulnerable SAP systems, including unrestricted access to the SAP business data and processes, deploy ransomware in SAP and move laterally. Given the observed activity and vulnerability characteristics, we expect continued exploitation against vulnerable internet-facing SAP Java systems.
SAP and Onapsis urge customers to take immediate action. This issue can be mitigated by applying SAP note 3594142. If you are unable to apply the patch in a timely fashion, SAP’s recommended mitigation is to either disable or prevent access to the vulnerable component, with more information described in SAP note 3596125.
Urgent Actions Required:
SAP and Onapsis urge customers to take immediate action.
- Apply SAP Note 3594142 to patch the issue.
- If you cannot apply the patch immediately, SAP recommends disabling or preventing access to the vulnerable component (see SAP Note 3596125).
In the meantime, you can also view our detailed blog and access the CVE-2025-31324 scanner for immediate assessment
