Active Exploitation of SAP Zero-Day Vulnerability (CVE-2025-31324, SAP Security Note 3594142)
Note: This is a developing campaign under active analysis. We will continue to add more indicators, hunting tips, and information to this blog post as needed. Please bookmark for updates.
Latest Update: April 25, 2025 at 10:58 a.m. ET
Onapsis is hosting live SAP threat intelligence briefings for CVE-2025-31324 and SAP Security Note 35894142 on April 25, 2025 and on April 29, 2025. Register.
Executive Summary
- A zero-day, CVSS 10.0 vulnerability is being actively exploited in the wild.
- CVE-2025-31324 affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in immediate full compromise of the targeted system.
- SAP Visual Composer is not installed by default, but is broadly enabled because it was a core component used by business process specialists to develop business application components without coding.
- Evidence of active exploitation was noted by Onapsis Threat Intelligence and reported by multiple IR firms and security researchers.
- First public report was via a public blog posted by security research firm ReliaQuest.
- SAP released an emergency patch for this issue on April 24, 2025 at approximately 1:00 PM EST (US).
- Patching, mitigation, and – if exposed – compromise assessment should be critical priorities
The Vulnerability
Affected Component: The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.xx (all SPS), specifically within the “developmentserver” part of the application. This component is part of the SAP NetWeaver Java stack. While not installed by default, it is widely enabled across existing SAP NetWeaver Application Server Java systems due to its broad usefulness in assisting business process specialists with developing business components without the use of coding.
Root Cause: The fundamental issue is an Improper authentication and authorization check in the application. This means the Metadata Uploader is not protected when an unauthenticated user wants to leverage some of its functionality.
Vulnerability Type: As the vulnerability relies on the fact that no authentication is enforced when accessing certain privileged functionality, the type of vulnerability can be associated with CWE ID: CWE-862 Missing Authorization or CWE-306: Missing Authentication for Critical Function.
Criticality: The vulnerability has been graded with a CVSS of 10, since it allows for a full system compromise, if successfully exploited.
Exploitation Method: The vulnerability is exploitable through HTTP/HTTPS, potentially over the Internet. Attackers target the /developmentserver/metadatauploader URL by sending carefully crafted POST requests.
Authentication Requirement: No authentication is required to exploit it, allowing unauthenticated agent or unauthenticated threat actors to interact with the vulnerable component.
Technical Impact: The exploitation allows arbitrary file upload. Threat actors can upload potentially malicious code files, most commonly webshells. Examples of filenames observed include “helper.jsp” and “cache.jsp”.
Attack Surface: While the SAP Visual Composer component is an optional component to install, Onapsis research indicates this component is installed and enabled in at least 50% of Java systems, with the research indicating the percentage could be as high as 70%.
Exploitation & Business Impact
| It is important to stress that at the time of posting, no publicly available exploit code has been published. However, be aware that active exploitation of this vulnerability continues to be observed in the wild. Onapsis Research Labs will continue to update this resource with further guidance and additional information as it is uncovered. |
Active Exploitation in the Wild
- In April 2025 The Onapsis Research Labs obtained evidence of active exploitation of this zero-day vulnerability, noted by the exclusive Onapsis Threat Intelligence. Onapsis observed this activity on Internet-facing SAP applications and was also contacted by SAP customers who shared insights into the topic. Concurrently, multiple Incident Response firms and security researchers were also reporting observing active exploitation.
- On April 22, 2025 ReliaQuest publicly reported observations. Their assessment, based on the fact that exploitation occurred on systems with recent patches, was that it likely involved the use of an unreported RFI issue against public SAP NetWeaver servers.
- On April 22, 2025, SAP acknowledged the issue, describing the symptom as “Unfamiliar files found in SAP NetWeaver Java file system”. This symptom was detailed in SAP KBA 3593336. The FAQ document (SAP Note 3596125, released April 24, 2025) confirmed that unfamiliar files like ‘.jsp’, ‘.java’, or ‘.class’ in specific paths like …\irj\root, …\irj\work, and …\irj\work\sync are common targets and should be considered malicious.
- On April 24, 2025, SAP officially identified the vulnerability as CVE-2025-31324, described as a “Missing Authorization check in SAP NetWeaver (Visual Composer development server)”. SAP confirmed the root cause is an improper authorization check allowing an unauthenticated agent to upload potentially malicious executable binaries.
- [Under Active Development. Timeline will continue to be updated.]
Exploitation Details
Exploitation happens via a POST request to the vulnerable component. Upon successful exploitation, threat actors are able to upload arbitrary files. Threat actors have been observed uploading web shells to vulnerable systems. These webshells allow the threat actor to execute arbitrary commands in system context, with the privileges of the <sid>adm Operating System user, giving them full access to all SAP Resources.
| POST /developmentserver/metadatauploader?CONTENTTYPE=MODEL&CLIENT=1 HTTP/1.1 Host: <REDACTED> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate Accept: */* Connection: close Content-Type: x Content-Length: 714 <POST_BODY_REDACTED> |
Example of exploitation of the vulnerability
Business Impact
With <sid>adm access, the attacker gains unauthorized access to the underlying SAP Operating System using the user and privileges of the processes running in the SAP Application Server, implying full access to any SAP resource, including the SAP system database without any restrictions, permitting them to take several actions (e.g., shut down the SAP application or deploy ransomware).
Additionally, the system can be used as a foothold into a network for the attacker to pivot from this initial entry point and access other internal systems, taking advantage of the interconnected nature of SAP systems.
As always, the potential for immediate full compromise is a serious matter and one that should be prioritized by your team. It could lead to malicious and unauthorized business activity affecting critical SAP systems, including but not limited to modifying financial records, deploying ransomware, viewing personally identifiable information (PII), corrupting business data, and deleting or modifying logs, traces, and other actions that jeopardize essential business operations.
Furthermore, for organizations subject to strong regulatory requirements (e.g., US: SEC Rules on Cybersecurity; EU: NIS2) or industry compliance frameworks (e.g., Sarbanes-Oxley, NERC), the resulting deficiency in IT controls for such regulatory or compliance mandates could be significant and far reaching, including (but again not limited to) corporate liability for corrupted or modified data, exfiltration of sensitive and/or financial data, and the exposure of PII.
Patching for CVE-2025-31324, mitigation if you are unable to patch, and – if exposed – compromise assessment should all be critical priorities.
Assessing Exposure
In order to determine if your systems are vulnerable, you need to list the Components of the SAP System – for each Java system. If either VISUAL COMPOSER FRAMEWORK or VCFRAMEWORK is listed as installed, then the system has the targeted component.
The following screenshot illustrates the listing of components, filtered by the affected component, which is VCFRAMEWORK. This can be obtained by navigating to the homepage of the SAP NetWeaver Application Server Java → System Information → Components Info (tab).
Image 1: Example of a vulnerable component version.
You then need to manually review if the patch from SAP Security Note #3594142 has been applied or one of the mitigations in SAP KB #3593336 have been implemented. For Onapsis customers, please review the Onapsis Platform Coverage section in this article to see how this assessment can be done automatically across your entire landscape.
Indicators of Compromise
SAP has provided guidance on determining if systems have already been compromised in.SAP Note #3596125 – this note details the following steps:
Check the root of the following OS directories for the presence of ‘jsp’, ‘java’, or ‘class’ files.
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work
- C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync
The presence of these files is an indication an attacker has leveraged the vulnerability to upload arbitrary files. The system should be considered compromised and the appropriate incident response plan should be followed.
The following image illustrates a potential review of a given SAP Application:
| [root@sapserver irj]# pwd /usr/sap/<SID>/<INSTANCE>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj [root@sapserver irj]# find . -type f -name “*.jsp” -ls [root@sapserver irj]# find . -type f -name “*.java” -ls [root@sapserver irj]# find . -type f -name “*.class” -ls |
Observed Tactics
Different tactics have been observed by the Onapsis Research Labs, mapped to the MITRE ATT&CK Framework:
- T1190 (Exploit Public-Facing Application)
- T1505.003 (Server Software Component: Web Shell)
Additionally, the ReliaQuest research team provided the following IOCs to search across SAP Applications:
- Helper.jsp webshell: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
- Cache.jsp webshell: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf
- Any files with .jsp, .class or .java extensions within the following directories should be considered malicious
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work
- /usr/sap/<SID>/<InstanceID>/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/sync
Remediation Steps
SAP has released the following notes to help customers protect themselves from this active threat:
- SAP Security Note #3594142 – Provides the hot fix support packages to help patch the vulnerability. Also points to SAP Note #3596125 and initial manual actions to identify evidence of prior exposure
- SAP Note #3596125 – FAQ for Security Note #3594142. Please note that this document is evolving, and SAP continues to update and evolve this FAQ and guidance.
- SAP Note #3593336 – Provides workaround mitigation steps for customers that cannot apply the patch
Onapsis Platform Coverage
Onapsis published comprehensive support for this vulnerability on April 24, 2025, the day SAP’s emergency patch was published.
- Onapsis Assess supports identifying all SAP systems with the vulnerable component;
- Onapsis Defend monitors and alerts on POST requests to an unpatched SAP Visual Composer component;
- A Threat Intel Center article was published, providing both details on the vulnerability and exploitation and a central location to view all vulnerable systems and any attempts to interact with the vulnerable component.
Onapsis Assess customers can run an assessment scan against their entire landscape to identify systems with the vulnerable component installed and unpatched, with no workaround/mitigation applied. Ongoing automatic scanning can track your progress addressing the vulnerable systems and removing the risk of compromise in your environment.
While remediation work is underway, Onapsis Defend customers have automatic monitoring of interactions with the vulnerable component. Due to the reduced level of detail captured in POST requests in SAP system logging, Defend cannot detect the presence of a webshell or other payload in the POST request itself, but it can alert if a POST request is made to a vulnerable SAP Visual Composer component.
On April 25, 2025, Onapsis offered two live briefings providing details on the vulnerability, the active exploitation, and mitigation guidance. A third session is scheduled for April 29, 2025.
Ongoing guidance continues to be published for our clients within the Onapsis SAP Defenders Community. This guidance will be updated as new information continues to be uncovered about this threat and its impact. The Onapsis SAP Defenders Community provides a forum for Onapsis customers to learn ongoing threat intelligence, gain access to exclusive resources, interact directly with Onapsis experts, and collaborate with other SAP security professionals.
Special Support for SAP Customers
To support qualified SAP customers that require investigation, threat remediation, and additional post compromise security monitoring, Onapsis is offering a complementary assessment and a 3-month free subscription to the Onapsis Platform. Please contact [email protected] for more information.
