Critical Zero-Day Vulnerability Impacts SAP

In an update to the April SAP Security Patch Day, which was earlier in the month, SAP announced three new Security Notes on April 24, 2025. One of these, currently being tracked as CVE-2025-31324, has the maximum possible CVSS score of 10 and is being actively exploited to compromise SAP systems. SAP has already released an emergency patch for the issue which can be mitigated by applying SAP Note 3594142.

The issue exposes a severe vulnerability in the Metadata Uploader component of SAP NetWeaver Visual Composer. According to SAP’s security advisory the attack requires no unusual user privileges to execute and is not complex for threat actors to initiate. The core issue stems from the absence of proper authorisation checks in the Metadata Uploader component. This allows unauthenticated attackers to upload potentially malicious executables to affected systems which can then be triggered remotely. If exploited, the vulnerability could lead to impacted systems being fully compromised.

Any organisation using vulnerable versions of SAP NetWeaver Visual Composer are at significant risk. Even organisations running the latest patches on their SAP systems may be vulnerable and should immediately take action to either patch the issue or implement a workaround which SAP has detailed in SAP Note 3593336.

The vulnerability was initially uncovered by the ReliaQuest Threat Research Team during incident response activities that were conducted in April where the organisation investigated multiple SAP NetWeaver breaches. ReliaQuest found that attackers had uploaded “JSP webshells” into publicly accessible directories as detailed in their report on the issue. SAP partner Onapsis has since confirmed the issue through their SAP threat intelligence sensors.

What This Means for Mastering SAP Insiders

Check to determine whether any of your SAP systems are vulnerable. The initial discovery found that even SAP systems running the latest service packs with patches applied were vulnerable. This makes it critical for any SAP customers to immediately determine whether any systems in their organisation are vulnerable. Given that SAP NetWeaver systems are typically running on-premise, they may not have received the same level of cybersecurity attention as those that are running in cloud environments.

Patch the vulnerability, or implement a workaround, as soon as possible. SAP users should implement SAP Note 3594142 as soon as possible. Action should also be taken to restrict access to the Metadata Uploader component to ensure that only authenticated users have upload permissions to SAP components. For those that cannot apply the patch immediately, the temporary workaround described in SAP Note 3593336 should be followed.

Learn about the issue and how to better protect your systems. Multiple SAP security partners are taking action to update their communities on the issue. Some, like Onapsis, have already scheduled webinars to explain the issue and ensure that organisations know how to address it. More importantly, every SAP user should ensure that they have and follow plans for regular patching and updating and put in place a cybersecurity response plan that includes SAP systems. Given that the number of cyberattacks continues to increase and more vulnerabilities with a higher severity are being discovered on SAP systems, having a proactive security posture is vital.