A critical vulnerability in SAP NetWeaver Visual Composer has led to confirmed compromises of multiple organizations, and researchers warn that more than 7,500 SAP NetWeaver Application Servers remain exposed and potentially at risk.
The vulnerability, tracked as CVE-2025-31324 and assigned a severity score of 10, is a critical unauthenticated-file-upload vulnerability that affects the metadata uploader component of SAP NetWeaver Visual Composer, Censys researchers said in a blog post on Monday.
Reliaquest discovered the flaw last week and reported it to SAP after discovering attackers uploading JSP webshells onto publicly accessible directories.
Researchers originally thought hackers were exploiting an older vulnerability, CVE-2017-9844, an unreported remote-file-inclusion vulnerability, but once they saw exploitation of up-to-date systems, they realized the flaw was new.
Researchers at Rapid7 are seeing exploitation across multiple customer environments dating back to at least March 27. The customers being exploited are almost exclusively manufacturing companies, Rapid7 said.
“Once the threat actors gained initial access to victim environments via SAP NetWeaver exploitation, they dropped webshells (often multiple) and executed a variety of malicious commands,” Caitlin Condon, director of vulnerability intelligence at Rapid7, said via email.
Many of the customers observed by Rapid7 have SAP NetWeaver installations that are more than 10 years old, making them more vulnerable to all types of exploits.
SAP NetWeaver installations often involve business-critical applications, making companies reluctant to take them offline in order to update them.
Shadowserver on Sunday reported 454 IPs vulnerable, led by the U.S., India and Australia.
Mandiant confirmed it is among a number of security firms responding to multiple incidents. Mandiant has observed exploitation activity dating back to mid-March, according to a LinkedIn post by CTO Charles Carmakal.
While Visual Composer is not installed by default, it is broadly enabled as a core component used by business analysts to develop business application processes without the need for coding, according to researchers at Onapsis.
The Visual Composer component is installed on at least 50% of Java systems and could be installed on as many as 70% of them, according to Onapsis researchers.
SAP last week said it first learned of the vulnerability in early April and planned to release a patch by the end of the month, but after additional information surfaced it issued an emergency patch on April 24.
