SAP has urgently released patches for a critical zero-day vulnerability (CVE-2025-31324) in NetWeaver Visual Composer that attackers have exploited to take control of servers.
This flaw, which received a perfect CVSS score of 10.0, allows unauthenticated users to upload malicious files through the Metadata Uploader component, leading to remote code execution.
ReliaQuest and watchTowr both confirmed that attackers have been using this vulnerability to install webshells and deploy tools like Brute Ratel for stealthy control.
Although SAP initially denied evidence of successful customer breaches, multiple cybersecurity firms have observed active exploitation in the wild.
Organizations that only installed SAP’s April 8th updates remain vulnerable unless they apply the new emergency patches.
The fix also addresses two additional critical issues in SAP S/4HANA and SAP Landscape Transformation.
Companies unable to patch immediately are advised to restrict endpoint access, disable Visual Composer if unused, and monitor systems for suspicious activity. Onapsis further supported findings of active exploitation, emphasizing the urgent need for mitigation.
Read more...