CONTACT US
Search
CONTACT US

Protecting Against Zero Day SAP Vulnerabilities: CVE-2025-31324 & CVE-2025-42999

New Intelligence to Protect SAP from Ransomware and Data Breaches

On April 24, 2025, SAP released an emergency patch for a CVSS 10.0 zero-day vulnerability that affects SAP Visual Composer, an optional but broadly installed component present in 50-70% of SAP Java systems worldwide.
This vulnerability is actively being exploited in the wild, as noted by Onapsis Threat Intelligence and multiple IR firms and security researchers. It was first publicly reported by ReliaQuest.

Read our resource page to learn more about the threat and potential business impact of this critical zero-day vulnerability as well as get recommendations and tools to help you mitigate:

  • Details about the CVE-2025-31324 and CVE-2025-42999 vulnerabilities.
  • Reporting on active exploitation in the wild and observations from Onapsis Research Labs.
  • How to determine if you’ve been exploited.
  • Recommendations on how to patch or mitigate this vulnerability in your essential SAP systems.
  • Get access to an open-source scanning tools and a YARA rule from Onapsis Research Labs.
Read the Latest Threat Updates

Unpacking CVE-2025-31324

CVE-2025-31324 is a critical zero-day vulnerability in the SAP NetWeaver Visual Composer component, rated CVSS 10.0. Actively exploited in the wild, this flaw allows unauthenticated remote code execution (RCE) and poses an immediate risk to vulnerable SAP Java systems.

Affected Component

The vulnerability resides in the development server/metadatauploader endpoint within SAP Visual Composer (NetWeaver 7.x). Although not installed by default, Visual Composer is enabled in approximately 50–70% of SAP Java systems, due to its historical use in no-code business application development.

Exploitation Method

Threat actors exploit this issue by sending unauthenticated HTTP POST requests to the vulnerable endpoint, enabling arbitrary file upload—typically web shells such as helper.jsp or cache.jsp. Successful exploitation results in full system compromise with adm privileges.

Detection and Indicators of Compromise

Systems compromised via CVE-2025-31324 often contain suspicious .jsp, .class, or .java files in the following directories:

  • /irj/root/
  • /irj/work/
  • /irj/work/sync/

Refer to SAP Note 3596125 for detailed guidance on identifying indicators of compromise.

Mitigation and Patch Guidance

  • Apply the emergency patch from SAP Security Note 3594142
  • If patching is not immediately possible, follow the mitigation steps in SAP Note 3593336
  • Onapsis Assess enables identification of unpatched systems across your SAP landscape
  • Onapsis Defend detects and alerts on malicious POST activity targeting SAP Visual Composer
Details & Timeline of CVE-2025-31324 Indicators of Compromise Observed IP Addresses Business Impact of CVE-2025-31324 Remediation Steps for CVE-2025-31324

Why Onapsis Research Labs?

Onapsis Research Labs was the first to observe reconnaissance activity related to CVE-2025-31324 in January 2025, weeks before the vulnerability was officially identified. Our team has since:

  • Identified and documented active exploitation across customer environments
  • Coordinated directly with SAP and incident response teams
  • Released an open-source IOC scanner in partnership with Mandiant
  • Provided comprehensive threat intelligence briefings and mitigation guidance to the SAP security community

As the most experienced SAP cybersecurity research team in the world, Onapsis continues to lead with real-time detection, rapid response, and actionable insights. See below for additional SAP security information and recourses regarding CVE-2025-31324:

ON DEMAND WEBINAR

Onapsis and Mandiant: Latest Intelligence on CVE-2025-31324


Critical SAP Zero-Day Vulnerability Under Active Exploitation

In this webinar with Mandiant you will hear direct insight from leading threat intelligence experts on the active SAP zero-day vulnerability (CVE-2025-31324), its real-world impact, and how your team can respond effectively.

Watch now

Related Articles

CVE-2025-31324 Frequently Asked Questions

If we have NetWeaver Java 7.0 with Visual Component Framework installed, are they still vulnerable?

Yes, it is very likely that version of NetWeaver Java is vulnerable. Additionally that version of NetWeaver Java is no longer supported by SAP and as a result SAP will not issue security patches to address this vulnerability on that version. Our recommendation is to follow one of the workaround steps described in SAP Note and have a plan to upgrade that system to a version of NetWeaver Java that is supported by SAP.

If our SAP is not an internet-facing environment, are we just worried about insider threats? Or are we still vulnerable from malicious attackers?

The only thing that will change if the SAP Application is not internet-facing is the frequency of exploitation. The vulnerability should still be considered critical and should be acted on immediately. Due to the nature of the vulnerability and how it is exploited, we expect to see automated exploit tools taking advantage of this vulnerability or tools that could easily be executed from within a network. Additionally, this could be leveraged by malicious software such as malware or ransomware.

Are there any specific sectors or industries that malicious attackers are targeting based on the research so far?

We are gathering consolidated information related to the targeted industries, but at this stage all critical infrastructure should be considered at high risk based on the level of threat activity Onapsis Research Labs have seen. Having said that, all organizations are at high risk, due to the nature of this vulnerability, the exploitation over HTTP, and the level of threat activity seen over the past couple of days.

Are there any specific OS platforms that are particularly vulnerable to ransomware?

In general, Windows-based OSs are a preferred target for Ransomware gangs, because they have everything instrumented when it comes to ransomware, but it is not limited to just windows. I would not assume that if your SAP systems are running on a non-windows OS you are immune from a ransomware attack.

How can I check if the Visual Composer is installed?

You need to list the Components of the SAP System. If “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK is installed, then the system is vulnerable, unless you apply the patch from SAP Security Note: #3594142 or the mitigations in SAP KB #3593336 (which are basically to make the component unreachable)

If you are an Onapsis customer, you can use Assess to scan all your JAVA systems. Assess will identify not only the systems that have the component, but report an issue for any that have the component and are not secured against the vulnerability.

On April 27, 2025 Onapsis Research Labs released an open-source scanner for CVE-2025-31324. Please see Open-Source Scanner for CVE-2025-31324 for more information.

Could SAP Solution Manager 7.2 be affected by this vulnerability?

It depends on whether the vulnerable component was included in the installation of that Solution Manager system. You will have to list the JAVA components of your Java SID, looking for the “VISUAL COMPOSER FRAMEWORK”, or VCFRAMEWORK component.

Is this bug reported by a researcher or is it being exploited in the wild and some DFIR services detect them?

The vulnerability was not reported by any security researcher. It is unknown who found it, but it was being widely exploited across SAP applications. It is important to stress that this is not the result of theoretical research in a lab, there is active and ongoing exploitation of this vulnerability in the wild.

Further Reading

Want a more in-depth exploration? Start with these related pieces, then visit our Resources page for more.

Blog

SAP NetWeaver Flaw Lets Hackers Take Full Control: CVE-2025-31324 Explained

CVE-2025-31324 affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in immediate full compromise of the targeted system. Learn more from our blog.

LEARN MORE
Onapsis Research Labs

Anatomy of a C2 Incident on SAP

Onapsis Research Labs latest report focuses on the real-world example and anatomy of a Command + Control (C2) Incident on SAP.
LEARN MORE
Blog

New Threat Intelligence: Threat Actors Targeting SAP for Profit

LEARN MORE
Blog

The Cost of Ignoring SAP Cybersecurity: Bridging the Gap with Onapsis Research Labs

LEARN MORE
Onapsis Research Labs

The Experts in SAP Threat Intelligence

LEARN MORE
Watch the on-demand briefing

Recorded Webinar

LEARN MORE

Stay Ahead of Vulnerabilities with Onapsis Research Labs

Cybersecurity demands proactive measures, and protecting your SAP systems from the vulnerabilities being exploited is a critical endeavor. Don’t hesitate—reach out to us today to start strengthening your SAP environment’s security. Together, we can ensure your systems remain resilient and safeguarded against evolving threats.

Contact Us

Sitemap  | Terms of Use | Privacy Policy   |  Quality Policy  |  Disclosure PolicySecurity Vulnerability Reporting Guidelines |  ©2025 Onapsis  |  All rights reserved