A newly discovered vulnerability in SAP NetWeaver is being actively exploited by cybercriminals to plant malicious web shells and deploy advanced hacking tools like the Brute Ratel C4 framework. According to cybersecurity firm ReliaQuest, attackers are abusing this flaw to gain unauthorized access to vulnerable systems and execute harmful code remotely.
Vulnerability Allows Unauthorized File Uploads
The flaw has now been officially tracked as CVE-2025-31324 and has received the highest severity rating of 10.0 (CVSS v3.1). The issue lies in the Metadata Uploader component of SAP NetWeaver Visual Composer, a tool used by developers to build business applications without needing to write code manually.
This vulnerability allows unauthenticated attackers to upload any file to the server—including executable malware—without any security checks. The affected component fails to properly verify user permissions, making it easy for hackers to plant malicious files on the system.
ReliaQuest initially suspected the flaw to be a remote file inclusion (RFI) vulnerability but later confirmed that it was actually an unrestricted file upload issue.
Malicious Activity Detected in the Wild
The malicious activity was first detected in April 2025, during an investigation into several compromised SAP NetWeaver systems. ReliaQuest discovered that hackers were uploading JSP (JavaServer Pages) web shells into directories such as servlet_jsp/irj/root/. These lightweight web shells give attackers persistent access, allowing them to upload more files, steal data, and execute remote code.
The security team also observed the use of Brute Ratel C4, a powerful post-exploitation framework, and the Heaven’s Gate technique, which helps malware bypass modern endpoint protection software. These tools are usually associated with advanced persistent threat (APT) groups and initial access brokers (IABs), suggesting that attackers may be selling access to compromised SAP systems on dark web forums.
Possibly a Zero-Day Exploit
One concerning detail is that many of the compromised SAP servers were already updated with the latest patches. This means the attackers may have been exploiting a zero-day vulnerability—a flaw that was unknown to the vendor at the time of exploitation.
This has now been confirmed, as SAP officially acknowledged and fixed CVE-2025-31324 in an emergency security update released on April 24, 2025. However, this update is only accessible to SAP customers, and organizations must act quickly to apply the patch and secure their systems.
Why SAP Is a Prime Target
SAP software is widely used by enterprises and government agencies, making it an attractive target for cybercriminals. Since SAP environments are often deployed on-premises, the responsibility for timely updates and patches usually falls on the system administrators. Delays in patching leave these systems open to high-impact cyberattacks.
ReliaQuest emphasized the importance of securing SAP environments, stating:
“SAP systems often contain sensitive data and serve as critical infrastructure for large organizations. Any vulnerability in these systems can lead to data breaches, financial loss, or even national security risks.”
Evidence of Active Exploitation
ReliaQuest’s report explains that attackers took several days after gaining initial access to begin deeper exploitation. This delay is consistent with the tactics of initial access brokers, who typically sell access to threat actors interested in ransomware deployment, espionage, or data theft.
The company observed a pattern of attacks involving known exploits (such as CVE-2017-9844) combined with new techniques, further indicating a sophisticated and well-coordinated campaign.
Interestingly, another older SAP vulnerability—CVE-2017-12637—was also flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) just a month earlier for being actively exploited in the wild. That flaw allowed attackers to gain access to sensitive SAP configuration files.
What Organizations Should Do
If your organization uses SAP NetWeaver, it is critical to:
Apply the latest patch addressing CVE-2025-31324 immediately.
Check for unauthorized files in sensitive directories like
servlet_jsp/irj/root/.Audit recent user activity and network logs for signs of exploitation.
Isolate compromised systems and rotate credentials.
Use endpoint detection tools to scan for web shells or frameworks like Brute Ratel.
SAP customers can access the emergency patch via their SAP portal. Early detection and swift action are essential to prevent attackers from escalating their access or stealing sensitive business data.
Conclusion
This latest SAP vulnerability highlights the critical importance of proactive cybersecurity in enterprise environments. With threat actors increasingly targeting complex platforms like SAP, organizations must stay vigilant, patch systems promptly, and monitor for suspicious activity.
As SAP continues to be a cornerstone of business operations for major companies and governments, securing these systems is no longer optional—it’s essential.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Critical Commvault Flaw (CVE-2025-34028) Lets Hackers Execute Code Remotely
Pingback: New WooCommerce Phishing Attack Installs Malware on Wordpress Websites