Ethical Hacking News
A critical SAP zero-day vulnerability has been identified, which could grant attackers full control over SAP business data and processes. The vulnerability, identified as CVE-2025-31324, is related to the metadata uploader component in NetWeaver's no-code Visual Composer app-building tool. SAP customers are advised to apply the emergency patch released by SAP earlier today and assess vulnerable systems for compromise.
SAP has released an out-of-band patch for a potential zero-day vulnerability in its NetWeaver software (CVE-2025-31324).The vulnerability allows attackers to upload malicious executable binaries, potentially harming the host system and affecting confidentiality, integrity, and availability.Attackers have already exploited this vulnerability as a zero-day, taking full control over SAP business data and processes.Ransomware deployment and lateral movement around a network are also possible attack vectors.SAP security platform Onapsis recommends applying the emergency patch to customers and assessing vulnerable systems for compromise.The low exploitability rating of this bug is concerning, as attackers were able to weaponize it in just 8 days.
SAP has recently released an out-of-band patch for a potential zero-day vulnerability in its NetWeaver software, which could grant attackers full control over SAP business data and processes. The vulnerability, identified as CVE-2025-31324, is said to be related to the metadata uploader component in NetWeaver's no-code Visual Composer app-building tool.
The National Vulnerability Database (NVD) entry for this vulnerability reads: "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agents to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."
According to Onapsis security platform, this vulnerability has already been exploited as a zero-day by attackers, who can use it to take full control over SAP business data and processes. The potential for ransomware deployment and lateral movement around a network is also on the cards.
ReliaQuest researchers have noted similarities between the limited description of the issue and the verbiage used by them in their writeup of a mystery vulnerability in SAP NetWeaver, published earlier this week. ReliaQuest said they had been investigating "multiple customer incidents" involving JSP webshells uploaded to SAP environments, several of which were fully updated and had patches applied.
The incident response efforts showed that attackers who had already broken into customer environments were using the Brute Ratel red-teaming tool and the Heaven's Gate technique for code execution and detection evasion. ReliaQuest also warned that any potential exploits of the vulnerability could lead to compromises of high-value targets, given that SAP is routinely used by large organizations and governments around the world.
SAP security platform Onapsis strongly recommends SAP customers to apply the emergency patch released by SAP earlier today, and assess vulnerable systems for compromise. The Register asked SAP for more details about this vulnerability but has yet to receive a response.
It's worth noting that Microsoft rated this bug as low exploitability, but miscreants weaponized it in just 8 days. Suspected Chinese spies were also hijacking buggy Ivanti gear for the third time in three years. The CVE program, which is used to track vulnerabilities, has faced funding issues and uncertainty.
The Register will continue to monitor this situation and provide updates as more information becomes available.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-SAP-Zero-Day-Vulnerability-What-You-Need-to-Know-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/04/25/sap_netweaver_patch/
https://nvd.nist.gov/vuln/detail/CVE-2025-31324
https://www.cvedetails.com/cve/CVE-2025-31324/
Published: Fri Apr 25 11:04:41 2025 by llama3.2 3B Q4_K_M
