DeeperML - #sap

A critical security flaw, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x is under active exploitation in the wild. This deserialization vulnerability allows unauthenticated remote code execution through malicious uploads to the `/developmentserver/metadatauploader` endpoint. Attackers are leveraging this flaw to deploy web shells and gain full control of vulnerable SAP servers. Forescout Vedere Labs researchers have linked ongoing attacks targeting this vulnerability to a Chinese threat actor dubbed Chaya_004. Evidence suggests opportunistic scanning and exploitation attempts against SAP systems have been occurring since late April 2025 across multiple industries.

The Chinese-speaking threat group tracked as Chaya_004 by Forescout has been actively exploiting the SAP NetWeaver vulnerability. The attackers have not only deployed classic web shells but have also installed sophisticated management backdoors like Supershell, a Go-based remote shell favored among Chinese APT operators. Forescout's adversary engagement environments detected mass scanning shortly after the public disclosure of the bug and its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The scanning activity primarily originated from Microsoft and Amazon cloud ASNs, indicating both benign research and malicious reconnaissance efforts.

Technical analysis of the attacker's infrastructure revealed a network of over 500 IPs, many hosted on leading Chinese cloud providers. This infrastructure contained not just Supershell but also an arsenal of penetration testing and asset discovery tools. The observed toolset includes NPS, SoftEther VPN, Cobalt Strike, ARL, Pocassit, Gosint, and bespoke tunnels written in Go. The use of Chinese cloud providers and Chinese-language tools strongly suggests the campaign is orchestrated by a seasoned Chinese threat actor. Applying the latest security patches is crucial for organizations to protect their SAP NetWeaver systems from potential compromise.


References :

• Cyber Security News: A critical deserialization vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild, according to recent research by Forescout.
• The Hacker News: Hundreds of SAP NetWeaver instances hacked via a zero-day that allows remote code execution, not only arbitrary file uploads, as initially believed.
• fortiguard.fortinet.com: A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild.
• securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
• www.scworld.com: Remote code execution possible of SAP NetWeaver Visual Composer flaw rated 10.0.
• Unit 42: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry.

Classification:

• HashTags: #SAPsecurity #CybersecurityThreats #CVEexploit
• Company: SAP
• Target: SAP NetWeaver users
• Attacker: ColdRiver
• Product: SAP NetWeaver
• Feature: Visual Composer Metadata Uploa
• Malware: LOSTKEYS
• Type: Hack
• Severity: Major

A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.

Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.

SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.


References :

• Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
• securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
• The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
• Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
• BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
• reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
• MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
• Blog: Max severity zero-day in SAP NetWeaver actively exploited
• thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
• cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
• www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
• www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
• The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
• Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
• socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
• Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
• strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
• The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
• Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
• www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
• www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
• BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
• Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
• research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
• securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
• onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
• research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
• Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
• Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
• www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
• www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
• securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
• redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
• www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
• Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
• SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
• Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
• socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution

Classification:

• HashTags: #SAPSecurity #ZeroDay #Cybersecurity
• Company: SAP
• Target: SAP NetWeaver servers
• Attacker: ReliaQuest
• Product: NetWeaver
• Feature: Metadata Uploader
• Malware: webshells
• Type: 0Day
• Severity: Critical

SAP and NVIDIA are deepening their collaboration to deliver advanced AI capabilities to businesses worldwide. SAP is integrating NVIDIA's Llama Nemotron reasoning models to enhance the reasoning capabilities of its AI agents. This strategic move aims to improve accuracy and equip AI agents with advanced decision-making and execution skills. By incorporating these models, SAP's Joule agents will be better equipped to handle complex business challenges through deeper contextual reasoning and seamless interaction with enterprise data and systems, fostering more intelligent and autonomous operations.

The partnership between SAP and NVIDIA has already yielded AI innovations transforming business operations. SAP Joule for Consultants, enhanced with NVIDIA NeMo Retriever microservices, enables consultants to quickly access relevant insights from SAP-exclusive content, reducing time spent on documentation and troubleshooting. For developers, Joule for developers, powered by NVIDIA NIM microservices, accelerates ABAP code generation, improving code quality and accelerating innovation. These advancements are revolutionizing how enterprises implement SAP solutions and develop applications on SAP Business Technology Platform.


References :

• SAP News Center: AI That Thinks, Learns, and Acts: How SAP and NVIDIA Are Shaping the Future of Business AI

Classification:

• HashTags: #BusinessAI #SAPJoule #NVIDIAAI
• Company: SAP
• Target: Business Operations
• Product: Joule
• Feature: AI Assistant
• Malware: Joule
• Type: AI
• Severity: Informative