Full Report
Researchers attribute the attacks to an initial access broker who is exploiting the 10.0 critical vulnerability. The post SAP zero-day vulnerability under widespread active exploitation appeared first on CyberScoop.
Analysis Summary
# Vulnerability: SAP NetWeaver Unrestricted File Upload Leading to RCE (Zero-Day)
## CVE Details
- CVE ID: CVE-2025-31324
- CVSS Score: 10.0 (Critical)
- CWE: [Not explicitly stated, but aligns with CWE-434: Unrestricted Upload of File with Dangerous Type]
## Affected Systems
- Products: SAP NetWeaver (specifically the SAP Visual Composer component)
- Versions: Unspecified vulnerable versions (Affected systems appear to be those with the Visual Composer component enabled). Onapsis estimates 50-70% of internet-facing SAP Netweaver Application Servers Java may have the component available.
- Configurations: Systems where the SAP Visual Composer component is enabled/available.
## Vulnerability Description
This is a critical zero-day vulnerability residing within the SAP Visual Composer component of SAP NetWeaver. The flaw is an unrestricted file upload vulnerability that allows unauthenticated attackers to bypass security checks and upload arbitrary files directly to the system. Successful exploitation leads to full system compromise, as attackers can use the uploaded file (e.g., a web shell backdoor) to achieve Remote Code Execution (RCE).
## Exploitation
- Status: Actively exploited in the wild. Exploitation is widespread, observed by security researchers.
- Complexity: Low (Unauthenticated remote attack).
- Attack Vector: Network (Remote, unauthenticated).
## Impact
- Confidentiality: High (Total system compromise).
- Integrity: High (Total system compromise/malicious modification).
- Availability: High (Potential for system disruption or takeover).
## Remediation
### Patches
- SAP issued an emergency patch for the vulnerability on Thursday following disclosure on Tuesday.
- Patch information is available via SAP security advisory, accessible only to logged-in SAP customers.
### Workarounds
- No specific workarounds were detailed in the provided context, but immediate patching is necessary due to widespread active exploitation. Systems administrators should prioritize applying the emergency patch immediately.
## Detection
- Indicators of Compromise (IoCs): Threat actors are observed using this vulnerability to drop web shell backdoors onto exposed systems for gaining further access.
- Detection methods and tools: Threat hunting focused on suspicious file uploads to SAP NetWeaver instances, particularly in areas related to the Visual Composer component, and the presence of unexpected web shells.
## References
- Vendor Advisory: SAP Security Notes/Advisory (Requires SAP login)
- Research: ReliaQuest Blog
- Research: Onapsis Blog