Emergency patch for potential SAP zero-day that could grant full system control

SAP's latest out-of-band patch is for a perfect 10/10 bug in NetWeaver that experts suspect could have already been exploited as a zero-day.

However, we can't say for sure whether that's the case because the German software shop has restricted access to the details behind a customer paywall.

The vulnerability's CVE identifier is known, though, (CVE-2025-31324) and from the limited description entered into the National Vulnerability Database, we understand it's a flaw with the metadata uploader component in NetWeaver's no-code Visual Composer app-building tool.

The NVD entry reads: "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system."

According to SAP security platform Onapsis, the vulnerability has indeed already been exploited as a zero-day and can afford attackers the opportunity to take full control over SAP business data and processes.

That means the potential for ransomware deployment and lateral movement around a network is also on the cards.

"We strongly recommend SAP customers to apply the emergency patch released by SAP earlier today, and assess vulnerable systems for compromise," it said via LinkedIn.

Elsewhere, infosec watchers have noted the similarities between the limited description of the issue and the verbiage used by ReliaQuest in its writeup of a mystery vulnerability in SAP NetWeaver, published earlier this week.

ReliaQuest researchers said on April 22 they had been investigating "multiple customer incidents" involving JSP webshells uploaded to SAP environments, several of which were fully updated and had patches applied.

• Today's LLMs craft exploits from patches at lightning speed
• Microsoft rated this bug as low exploitability. Miscreants weaponized it in just 8 days
• Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
• Why is someone mass-scanning Juniper and Palo Alto Networks products?

These webshells allowed attackers to upload files and execute code. At the time of publication, ReliaQuest said the issue at play was likely due to the exploitation of an old NetWeaver bug (CVE-2017-9844, 9.8) or a brand-new, undisclosed issue.

Incident response efforts showed attackers who had already broken into customer environments were using the Brute Ratel red-teaming tool and the Heaven's Gate technique for code execution and detection evasion.

ReliaQuest also warned that any potential exploits of the vulnerability could lead to compromises of high-value targets.

Given that SAP is routinely used by large organizations and governments around the world – extensively throughout local and national government in the UK, for example – any zero-day vulnerabilities that could lead to ransomware are highly valuable to attackers.

The Register asked SAP for more details. ®