In early 2025, security experts uncovered a critical vulnerability in SAP NetWeaver that was being silently exploited across numerous organizations’ most critical systems. Tracked as CVE-2025-31324, this flaw holds a CVSS 10.0 severity, allowing unauthenticated attackers to upload arbitrary files and achieve full remote code execution on SAP NetWeaver application servers. Even fully patched SAP systems fell victim – a clear indication that threat actors had discovered and weaponized a vulnerability unknown to the vendor. The SAP Visual Composer component for SAP NetWeaver is broadly enabled, making it a significant target for exploitation. Further analysis is essential to understand the extent of the threat and how many systems are exposed. By the time SAP issued an emergency patch on April 24, 2025, attackers had already been leveraging the zero-day for months in a stealthy exploit spree that infiltrated businesses and government agencies alike.
Discovery of the Zero-Day
The first public warning came on April 22, 2025, when cybersecurity firm ReliaQuest reported multiple client breaches tied to an unusual SAP NetWeaver compromise. SAP solutions are frequently used by government agencies and enterprises, making them high-value targets for cyberattacks. Investigators found that attackers were uploading JSP webshells into publicly accessible directories on SAP NetWeaver servers, enabling them to execute remote commands at will. ReliaQuest noted that no authentication was needed for these malicious file uploads and that the affected systems were fully up-to-date on patches – meaning the intrusions resulted from a true zero-day exploit. In response, SAP “dropped a bombshell” out-of-band update on April 24, 2025, releasing a patch to close the Visual Composer component vulnerability. Administrators were urged to apply the fix immediately, but by that point the attackers had already gained a foothold in many critical SAP installations without detection.
Silent Exploitation in Critical Industries
Initial evidence suggested the zero-day had been exploited quietly as early as January 2025, giving adversaries a significant head start before public disclosure. Hundreds of SAP NetWeaver servers worldwide – including those in energy, utilities, manufacturing, oil and gas, pharmaceutical, retail, and government sectors – were compromised during this period of stealthy activity. Security researchers observed that the threat actors behind the campaign demonstrated highly advanced knowledge of SAP systems, employing living-off-the-land techniques to blend in. The breaches went under the radar until routine monitoring picked up the webshells and unusual SAP application behavior in April. By then, an initial access broker believed to have nation-state ties (suspected by some to be China-linked) had likely already planted persistent backdoors in numerous enterprise SAP servers. This silent exploit spree across critical industries highlights how a sophisticated actor can abuse a zero-day in mission-critical software to quietly pre-position for espionage or future attacks.
Attack Vector and Stealth Techniques
The vulnerability itself resided in the SAP NetWeaver Visual Composer’s Metadata Uploader (an endpoint at /developmentserver/metadatauploader). An oversight in authorization checks meant that an attacker could upload any file to the server without logging in. Armed with only a malicious file and a target URL, attackers would install JSP-based webshells on vulnerable servers. Once these webshells were in place, the adversaries could simply send crafted HTTP GET requests to execute system commands remotely. Compromised servers effectively became theirs to control – allowing them to create or exfiltrate files, spawn processes, and potentially pivot deeper into the network. In the post-exploitation phase, the attackers deployed advanced tools and tactics to maintain stealth. Security analysts noted the use of “Brute Ratel,” a red-team command-and-control framework, and the “Heaven’s Gate” technique to bypass antivirus defenses. Attackers even injected malicious code via MSBuild (Microsoft’s build tool) into legitimate Windows processes like dllhost.exe to hide their presence. These techniques, combined with the absence of security logging for the Visual Composer component, meant the intrusion could persist for an extended time without triggering alarms.
Multiple Threat Actors and Second-Wave Attacks
What began as a covert operation by a likely state-sponsored actor or broker soon turned into a free-for-all once the vulnerability became public. In the weeks following SAP’s disclosure and patch, other threat groups rushed to exploit any unpatched NetWeaver systems. By May 2025, ransomware gangs such as BianLian and RansomExx had incorporated CVE-2025-31324 into their toolkits, using it to drop their own malware (for example, RansomExx was observed deploying a backdoor called “PipeMagic” through the SAP exploit). At the same time, security researchers warned that Chinese APT groups were also probing SAP servers – indicating that both cybercriminal and nation-state actors were actively targeting this flaw. This convergence of threats led to a second wave of attacks: opportunistic hackers piggybacked on the webshells left behind by the initial attackers or struck vulnerable servers that lagged in patching. In one case, an initial access broker’s indiscriminate deployment of backdoors allowed multiple gangs to discover and use those webshells independently, accelerating the spread of attacks. What was once a quiet breach by a single group had evolved into a barrage of cyberattacks from all sides.
Impact and Response
The impact of the SAP NetWeaver zero-day has been immense. By late April, security scans revealed over 1,200 internet-exposed SAP NetWeaver instances still unpatched and vulnerable to this exploit. More than 10,000 systems in total were estimated to run the affected component, many of them in high-value environments where SAP software manages core business and government processes. While SAP stated it had seen no evidence (so far) of customer data breaches from these attacks, the potential for damage was clear: complete server takeover, data theft, operational disruption, and indirect access to other systems. The incident serves as a stark reminder of the outsized risk posed by ERP (Enterprise Resource Planning) platform vulnerabilities. In the aftermath, SAP administrators worldwide scrambled to apply the emergency patch (SAP Security Note 3594142) and to hunt for signs of compromise. Security firms released Indicators of Compromise (IOCs) – such as suspicious JSP file names in SAP directories – to help organizations detect if the vulnerability had been exploited in their environment. Going forward, experts urge a defense-in-depth approach: even in well-maintained systems, unknown zero-days can lurk, so robust network monitoring and anomaly detection are essential to catch the earliest hints of an intrusion.
Conclusion:
The SAP NetWeaver zero-day saga illustrates how a single undisclosed flaw in widely used software can enable a silent rampage through critical infrastructure. A vulnerable component that was not installed by default – but often enabled in the real world – gave attackers a rare opportunity to breach fully patched systems at will. They capitalized on it brilliantly, operating in the shadows for months and affecting multiple sectors before the alarm was raised. Once the secret was out, a race ensued between attackers trying to exploit as many servers as possible and defenders rushing to secure their SAP landscapes. The episode underscores the importance of collaborative threat intelligence (as seen with ReliaQuest, Onapsis, and others sharing findings) and rapid vendor response in the face of active exploits. Most importantly, organizations running complex critical applications must stay vigilant and be prepared for the unexpected. Applying patches promptly is crucial, but so is continuous monitoring for anomalous behavior, rigorous network segmentation, and having an incident response plan. The silent exploit spree facilitated by CVE-2025-31324 may be over, but it has left behind a cautionary tale: even the most mature, up-to-date systems can be quietly subverted by determined adversaries, and only a proactive, layered security strategy can hope to contain such threats.
Arghire, Ionut. “SAP Zero-Day Targeted Since January, Many Sectors Impacted.” SecurityWeek, 9 May 2025. https://www.securityweek.com/sap-zero-day-targeted-since-january-many-sectors-impacted/
EclecticIQ. “China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures.” EclecticIQ Blog, May 2025. https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructuresThe Hacker News+3EclecticIQ Blog+3CyberSecurity Help+3
Kapko, Matt. “SAP Zero-Day Vulnerability Under Widespread Active Exploitation.” CyberScoop, 25 Apr. 2025. https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/CyberScoop+2CyberScoop+2CyberScoop+2
Lakshmanan, Ravie. “BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan.” The Hacker News, 14 May 2025. https://thehackernews.com/2025/05/bianlian-and-ransomexx-exploit-sap.htmlThe Hacker News+1CISO2CISO.COM & CYBER SECURITY GROUP+1
Onapsis. “CVE-2025-31324 SAP Zero-Day Vulnerability | Full Threat Brief.” Onapsis Blog, Apr.–May 2025. https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/Onapsis+4Onapsis+4Onapsis+4
ReliaQuest. “ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver (CVE-2025-31324).” ReliaQuest Blog, 22 Apr. 2025. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ReliaQuest
Toulas, Bill. “SAP Fixes Suspected NetWeaver Zero-Day Exploited in Attacks.” BleepingComputer, 25 Apr. 2025. https://www.bleepingcomputer.com/news/security/sap-fixes-suspected-netweaver-zero-day-exploited-in-attacks/BleepingComputer+2BleepingComputer+2Rescana+2
