- SAP disclosed a 10/10 flaw in NetWeaver Visual Composer
- The bug allows threat actors to upload malware
- Researchers claim up to 1,200 instances are vulnerable
More than 1,200 SAP instances are at risk of being hijacked, researchers are saying, as a critical vulnerability was found being abused in the wild. Earlier this week, SAP said it found an unauthenticated file upload vulnerability in NetWeaver Visual Composer’s Metadata Uploader component.
Visual Composer is a development tool that allows users to build web-based business applications without writing code. It’s mostly used to create dashboards, forms, and interactive reports. The Metadata Uploader, on the other hand, is a tool for importing external data models (metadata) into the Visual Composer design environment. This allows developers to connect to remote data sources (web services, databases, or SAP systems).
The vulnerability SAP found is now tracked as CVE-2025-31324. It carries the maximum severity score (10/10), and stems from the fact that the uploader is not protected with proper authorization, allowing unauthenticated actors to upload malicious executables.
Fortune 500 at risk
When it discovered the bug, SAP first released a workaround, and then in late April, a patch.
Now, users are advised to apply it as soon as possible, since multiple cybersecurity firms confirmed the flaw being abused in the wild. According to BleepingComputer, ReliaQuest, watchTowr, and Onapsis, are just some of the firms that observed the bug being exploited in attacks in which threat actors were dropping web shells on vulnerable servers.
SAP, however, told BleepingComputer that it is not aware of any attacks that impacted customer data or systems.
The jury is still out on how many organizations are actually vulnerable. While the Shadowserver Foundation claims 427 servers are exposed on the internet, Onyphe says there are 1,284 instances, 474 of which are already compromised.
“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.
Via BleepingComputer
