A critical flaw in SAP NetWeaver’s Visual Composer component has been widely exploited by threat actors, putting numerous organizations at risk. This zero-day vulnerability, identified as CVE-2025-31324, allows unauthorized file uploads, potentially compromising entire systems. Experts warn that the vulnerability could have far-reaching impacts across various industries globally.
The extent of this breach surpasses previous incidents involving SAP systems, marking it as one of the most severe vulnerabilities exploited in recent times. Earlier SAP vulnerabilities had limited exploitation, but CVE-2025-31324 has seen rapid and widespread attacks, emphasizing the urgent need for security measures.
Vulnerability Details
The CVE-2025-31324 flaw affects the SAP Visual Composer component of SAP NetWeaver, a platform integral to many enterprise applications. This defect permits unauthorized users to upload files, granting them the ability to execute code remotely and fully compromise the system. Onapsis estimates approximately 10,000 SAP instances might be vulnerable based on internet server searches.
Active Exploitation and Impact
“This isn’t a theoretical threat — it’s happening right now,”
stated Benjamin Harris, CEO of watchTowr. Additionally,
“SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers,”
as noted by ReliaQuest researchers. The vulnerability has been actively exploited, with attackers deploying web shell backdoors to secure further access to compromised systems. WatchTowr has observed a significant spike in attempts and breaches across critical industries, affecting an estimated 50-70% of internet-facing SAP NetWeaver systems.
Mitigation Efforts
SAP has released an emergency patch to address the vulnerability, available exclusively to customers with login credentials to their support portal. Researchers and incident responders urge all SAP NetWeaver users to apply the patch immediately to prevent unauthorized access and system compromise. Due to the high value of SAP solutions in government and enterprise sectors, the vulnerability poses a substantial risk if not promptly addressed.
The emergence of CVE-2025-31324 underscores the persistent vulnerabilities within widely used enterprise systems like SAP NetWeaver. Organizations must remain vigilant and prioritize the implementation of security patches to safeguard their infrastructure effectively. Continuous monitoring and swift response strategies are essential to mitigate the risks posed by such critical exploits in the future.
