Jay Thoden van Velzen ☁️🛡️
Efani🚨 SAP NetWeaver Zero-Day Under Active Exploitation — Patch Immediately
SAP has released an out-of-band emergency update to fix a critical zero-day vulnerability (CVE-2025-31324) in NetWeaver Visual Composer — and it’s already being exploited in the wild.
The flaw (CVSS 10.0) allows unauthenticated remote attackers to upload malicious files and gain full remote code execution — no login required.
Here’s what’s happening:
- Threat actors are abusing the `/developmentserver/metadatauploader` endpoint
- They're dropping JSP web shells and executing commands directly from browsers
- Post-exploitation activity includes tools like Brute Ratel and MSBuild injection for stealth
- Even fully patched systems were compromised — confirming this was a true zero-day
Both ReliaQuest and watchTowr have confirmed active exploitation, with attackers already moving to establish persistence and lateral movement.
Who’s affected:
- SAP NetWeaver Visual Composer 7.50 environments
- Systems exposed to the internet, especially if Visual Composer is enabled
What you need to do:
- Apply the emergency patch from SAP (released after the April 8 update)
- If you can’t patch immediately:
- Restrict access to the vulnerable endpoint
- Disable Visual Composer if unused
- Forward logs to SIEM and scan for unauthorized servlet uploads
Also included in the emergency update:
- CVE-2025-27429 — Code injection in SAP S/4HANA
- CVE-2025-31330 — Code injection in SAP Landscape Transformation
In a world where zero-days are increasingly exploited within hours of discovery, patching isn’t optional — it’s urgent.
