SAP NetWeaver faces active exploitation of critical CVE-2025-31324 by ransomware gangs and nation-state actors, demanding immediate patching.
/developmentserver/metadatauploader endpoint. The vulnerability stems from a missing authorization check that allows unauthenticated attackers to upload arbitrary executable files to vulnerable servers. Once a malicious file—typically a JavaServer Page (JSP) web shell—is deposited, attackers can access it through a web browser and execute operating system commands with the privileges of the SAP system administrator account. "The core issue with this vulnerability is a missing authorization check in the Metadata Uploader," according to analysis from Palo Alto Networks Unit 42. "This means that any user, even unauthenticated ones, can interact with this endpoint and upload arbitrary files to the server." SAP released an emergency patch for CVE-2025-31324 on April 24, 2025. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 29, 2025, establishing a remediation deadline of May 20, 2025 for federal civilian agencies—signaling federal government expectation that organizations prioritize remediation given active exploitation by both criminal and nation-state threat actors. Security researchers at ReliaQuest first documented exploitation activity on April 22, 2025, observing unauthorized file uploads and malicious code execution targeting SAP NetWeaver systems. The researchers identified JSP web shells with filenames including helper.jsp, cache.jsp, and randomly generated names being planted in compromised systems. Earlier reconnaissance activity was detected by Onapsis beginning in January 2025, with confirmed intrusions starting in mid-March 2025. ## Global Exposure and Attack Scale Security firms have documented alarming numbers of vulnerable, internet-exposed SAP systems. Onapsis Research Labs identified more than 4,000 internet-facing SAP applications with the vulnerable component enabled, estimating that 50 to 70 percent of these may have already been compromised. The Shadowserver Foundation discovered over 400 NetWeaver servers openly exposed to the internet, representing immediate targets for automated exploitation toolkits. Public proof-of-concept exploits became available within days of disclosure, triggering mass scanning activity consistent with patterns observed in previous critical SAP vulnerabilities. EclecticIQ researchers uncovered an openly accessible directory on attacker-controlled infrastructure that revealed the scope of the campaign. The directory contained result files documenting 581 SAP NetWeaver instances confirmed compromised and backdoored with web shells, alongside a list of 1,800 domains running SAP NetWeaver identified as planned targets for future exploitation. SAP, whose systems manage core business processes for large enterprises across multiple industries, acknowledged the vulnerability and released emergency patches promptly. The company stated it was not aware of customer compromises at the time of disclosure, though security firms reported ongoing in-the-wild exploitation immediately following the announcement. ## A Complex Threat Landscape The attackers leveraging CVE-2025-31324 represent a dangerous convergence of criminal financially-motivated actors and nation-state espionage operations. Ransomware groups BianLian and RansomEXX have both been observed exploiting the vulnerability to establish persistence within victim networks. ReliaQuest documented BianLian deploying reverse proxy services from compromised SAP servers, linking infrastructure to previously identified ransomware command-and-control servers. In separate incidents, attackers exploited the flaw to deploy PipeMagic, a modular backdoor associated with RansomEXX (tracked by Microsoft as Storm-2460), delivered through MSBuild abuse. China-nexus threat actors have also been linked to active exploitation campaigns. Forescout's Vedere Labs uncovered malicious infrastructure hosting SuperShell backdoors—Golang-based web shells deployed predominantly on Chinese cloud providers including Alibaba, Shenzhen Tencent, Huawei Cloud Service, and China Unicom. The campaign utilized fraudulent certificates impersonating Cloudflare to mask command-and-control communications. Security analysts at EclecticIQ have attributed intrusions to multiple Chinese state-sponsored groups, including UNC5221, UNC5174, and CL-STA-0048. These groups, which threat intelligence firms Mandiant and Palo Alto researchers assess connect to China's Ministry of State Security or affiliated private entities, operate strategically to compromise critical infrastructures, exfiltrate sensitive data, and maintain persistent access across high-value networks worldwide, according to EclecticIQ's analysis. ## Attack Anatomy: From Web Shell to Full Compromise Post-exploitation activity reveals the methodical approach adopted by threat actors following initial access. After uploading web shells with filenames including helper.jsp, cache.jsp, and ran.jsp, attackers execute reconnaissance commands to enumerate the compromised environment: bash cat /etc/hosts && cat /etc/resolv.conf && uname -a && ps -ef && netstat -tenp Tool deployment follows reconnaissance, with attackers observed installing GOREVERSE—a custom reverse shell utility capable of managing connections, dynamic port forwarding, and native SCP and SFTP implementations for data exfiltration. In some incidents, attackers establish reverse SSH SOCKS proxies to maintain persistent tunnel access to compromised networks. The deployment of Cobalt Strike beacons provides attackers with a fully-featured commercial penetration testing framework for lateral movement, credential harvesting, and eventual data exfiltration or ransomware deployment. EclecticIQ analysts observed compromised SAP systems being used to target essential services and government entities across multiple countries, including critical natural gas distribution networks and water utilities in the United Kingdom, advanced medical device manufacturing in the United States, and government ministries in Saudi Arabia. The compromised SAP systems were often running on VMware ESXi hypervisors directly connected to internal business networks without segmentation, significantly increasing lateral movement risk. China-nexus actors deployed additional malware tools including KrustyLoader—a Rust-based malware loader that delivers Sliver backdoors—and SNOWLIGHT, a Go-based downloader that deploys VShell, an open-source remote access trojan that masquerades as a benign kernel thread to evade detection. ## A Second Critical Vulnerability SAP's investigation into the attack campaign uncovered a second vulnerability in the same Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 and rated CVSS 9.1 (Critical), the flaw involves insecure deserialization that allows a privileged attacker to compromise system confidentiality, integrity, and availability. SAP released patches for this second vulnerability on May 12 and 13, 2025. ## Broader Vulnerability Landscape CVE-2025-31324 is not an isolated issue. SAP's September 2025 security patch cycle addressed multiple additional critical vulnerabilities in NetWeaver, including CVE-2025-42944, another flaw achieving a CVSS score of 10.0 (Critical) stemming from insecure deserialization in the RMI-P4 module that permits unauthenticated remote code execution. CVE-2025-42958 (CVSS 9.1) affects NetWeaver running on IBM i-series systems, allowing highly privileged unauthorized users to read, modify, or delete sensitive information or access administrative functionalities. Earlier vulnerabilities continue posing risks. CVE-2020-6287, known as RECON, achieved notoriety when exploitation of the 2020 flaw by initial access brokers contributed to compromises that preceded ransomware operations. Security analysts at Onapsis note that SAP vulnerabilities frequently transition from initial access to ransomware payload delivery in the criminal economics chain. ## Why ERP Security Demands Urgent Attention Enterprise resource planning systems occupy a uniquely critical position in organizational infrastructure. These platforms manage the operational heartbeat of modern enterprises: finance, human resources, procurement, manufacturing, and supply chain logistics. A successful compromise translates directly into financial fraud capability, operational disruption potential, and supply chain leverage. Unlike endpoint devices where a single compromised machine represents isolated risk, ERP system compromise can grant attackers visibility into and control over an organization's most sensitive business data and core operational processes. The centralization of so many business functions within SAP environments makes them disproportionately high-value targets relative to other enterprise systems. Organizations running SAP NetWeaver must immediately verify whether the Visual Composer component is enabled—a requirement for exploitability—and apply available patches without delay. For systems where immediate patching remains infeasible, disabling the Visual Composer component provides an effective workaround until updates can be deployed. Network exposure represents a critical risk multiplier. SAP instances directly accessible from the internet face orders of magnitude greater exploitation risk than those protected behind VPNs or secure reverse proxies. Security teams should audit external exposure and implement compensating controls including web application firewalls, multi-factor authentication, and enhanced logging to detect exploitation attempts. The indicators of compromise extend beyond the vulnerability itself. Organizations should search for unexpected JSP files in directories including /irj/root, /irj/work, and /irj/work/sync, and analyze access logs for suspicious POST requests to the vulnerable endpoint. --- Organizations running SAP NetWeaver should consult SAP Security Note 3594142 and subsequent updates for patch availability and consult the vendor's official guidance for complete remediation procedures.