SAP NetWeaver Zero-Day Exploited to Deploy Webshells on Enterprise Servers
A critical zero-day in SAP NetWeaver Visual Composer is being actively exploited to upload webshells to enterprise SAP servers, enabling full remote control of critical business systems.
CVE References
Affected
What happened: A critical zero-day vulnerability in SAP NetWeaver Application Server Java is being actively exploited by threat actors to upload JSP webshells to enterprise SAP servers. The vulnerability in the Visual Composer metadata uploader component allows unauthenticated file upload, giving attackers the ability to execute arbitrary operating system commands and fully compromise SAP environments.
Technical details: CVE-2025-31324 (CVSS 10.0) is an unauthenticated file upload vulnerability in the Visual Composer development server component (/developmentserver/metadatauploader endpoint). Attackers upload JSP webshells to the SAP servlet directory, establishing persistent remote access. Post-exploitation activity includes deployment of Brute Ratel and Cobalt Strike frameworks for lateral movement. Multiple threat actors, including a suspected China-nexus group, have been observed exploiting this vulnerability.
Who is affected: Organizations running SAP NetWeaver Application Server Java with the Visual Composer component enabled. SAP environments are typically central to business operations, managing ERP, supply chain, human resources, and financial functions. Compromise of SAP systems can expose the most sensitive business data in an organization.
What defenders should do: Apply the SAP emergency patch immediately. If patching is not possible, restrict access to the /developmentserver endpoint through web application firewall rules or network segmentation. Scan SAP servers for JSP webshells in servlet directories. Review SAP security configurations using the SAP Security Notes referenced in the advisory. Monitor for Brute Ratel and Cobalt Strike beacons in the SAP server environment.
Broader implications: The exploitation of SAP zero-days by advanced threat actors represents a significant escalation in targeting business-critical applications. SAP systems are the operational backbone of many Fortune 500 companies, and their compromise can provide access to intellectual property, financial records, and strategic business data. This vulnerability reinforces the need for SAP-specific security monitoring capabilities that many organizations still lack.
Sources