A critical zero-day vulnerability in SAP NetWeaver Visual Composer has been actively exploited in the wild since mid-April 2025, prompting emergency patches from SAP and urgent advisories from cybersecurity researchers worldwide. The flaw, tracked as CVE-2025-31324, enables unauthenticated attackers to upload and execute arbitrary files on vulnerable servers, potentially compromising entire enterprise environments.
The Exploit Mechanics
The vulnerability resides in the /developmentserver/metadatauploader endpoint of SAP NetWeaver Visual Composer, a component originally designed for importing metadata files during application development. Researchers at ReliaQuest discovered that this endpoint lacks proper access control and input sanitization, allowing anyone on the internet to upload files without authentication.
The attack chain follows a precise three-step process. First, attackers send crafted HTTP POST requests to the metadata uploader endpoint, embedding JSP-based webshells as file payloads. These uploads bypass all sanitization checks. Second, the uploaded files are written directly to a publicly accessible path at /j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/, which is served by the SAP NetWeaver application server. This means files placed in this directory can be executed remotely via standard GET requests in any browser. Third, the JSP webshells contain Java code that parses command input from HTTP requests, executes them on the underlying operating system using Java’s Runtime.getRuntime().exec(), and returns the output directly in the browser response. This grants the attacker full remote code execution on the SAP server.
What makes this vulnerability particularly dangerous is that systems remain vulnerable even if the latest service packs and updates were applied prior to SAP’s April 24 patch. The component has been deprecated but remains active in many installations.
Affected Systems
SAP NetWeaver systems using Visual Composer are the primary targets. Organizations running SAP enterprise resource planning solutions across finance, manufacturing, logistics, and government sectors are potentially exposed. Given that SAP systems manage critical business processes and often contain highly sensitive financial and operational data, the attack surface extends far beyond the server itself.
Post-exploitation analysis by ReliaQuest revealed sophisticated attacker tradecraft. Threat actors deployed Brute Ratel, a commercial red-teaming toolkit, to establish persistent command-and-control access. Attackers used the webshell to write encoded C# payloads to disk, moved files into trusted directories such as C:\ProgramData\, and compiled and executed payloads via MSBuild.exe, the .NET Framework’s native build tool.
Additionally, researchers observed the use of Heaven’s Gate, an evasion technique that switches execution context from 32-bit to 64-bit mode to evade endpoint detection and response solutions. This was evident through usage of NtSetContextThread and other low-level syscall manipulation APIs.
The Mitigation Strategy
SAP released an out-of-band emergency patch for CVE-2025-31324 on April 24, 2025. Organizations should apply this patch immediately across all SAP NetWeaver installations. Beyond patching, several additional mitigation steps are critical.
First, disable SAP Visual Composer entirely. The component is deprecated and should be removed via filters in SAP NetWeaver configuration. Second, restrict access to the development server by disabling the developmentserver application alias and enforcing firewall rules to block external access to this endpoint. Third, inspect the webshell path j2ee/cluster/apps/sapcom/irj/servlet_jsp/irj/root/ for any unauthorized .jsp files and review server logs for suspicious upload or execution activity dating back to mid-April 2025.
Lessons Learned
This incident underscores a fundamental truth about enterprise security: deprecated components that remain active represent ticking time bombs. SAP Visual Composer was already marked for deprecation, yet it continued running in production environments worldwide, exposing organizations to a vulnerability that required no authentication to exploit.
The attack chain also demonstrates the increasing sophistication of initial access brokers who leverage enterprise software vulnerabilities rather than traditional phishing campaigns. With Bitcoin trading at approximately $94,720 and the broader cryptocurrency market experiencing renewed institutional interest, attackers are highly motivated to compromise enterprise infrastructure that may provide access to financial systems and transaction data.
User Action Required
If your organization runs SAP NetWeaver with Visual Composer enabled, treat this as a critical incident. Apply the April 2025 SAP Security Patch immediately, disable the Visual Composer component, audit server logs for indicators of compromise, and conduct a thorough review of any JSP files in the exposed directory path. Organizations using managed SAP services should contact their providers to confirm patching status.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
The pace of innovation in crypto continues to surprise me
the gap between crypto security and tradfi is visible right here. a single JSP webshell took down enterprise systems while DeFi protocols get audited 5 times before launch
DeFi gets 5 audits but also loses 200M to flash loan attacks quarterly. neither side has bragging rights here
Every cycle the infrastructure gets more robust
The gap between crypto and TradFi is narrowing fast
unauthenticated file upload to a metadata endpoint. in 2025. on enterprise software running half the fortune 500. SAP needs to explain how this passed any security review
SAP has had variations of this vulnerability class since 2019. the metadata uploader was flagged in an internal audit 2 years ago and nobody prioritized the fix