Critical SAP Zero-Day Vulnerability Scores Perfect 10: Enterprise and Government Systems at Risk

A severe security flaw in SAP’s NetWeaver platform has emerged, earning the highest possible risk rating of 10 out of 10. This unscheduled emergency patch addresses vulnerability CVE-2025-31324, which experts believe may already have been exploited in the wild as a zero-day attack. The situation is particularly concerning as SAP has restricted detailed information about the vulnerability to paying customers only, potentially leaving others at risk.

Understanding the Technical Vulnerability

The critical flaw resides in the metadata loading component of SAP NetWeaver Visual Composer, a codeless application development tool widely used across SAP environments. According to the U.S. National Vulnerability Database, the issue stems from inadequate permission controls, enabling unauthenticated attackers to upload malicious executable files to affected systems.

Security firm Onapsis confirms the vulnerability has been actively exploited, allowing attackers to gain unfettered access to business-critical data and processes within SAP environments. This access creates perfect conditions for deploying ransomware attacks and establishing persistent network footholds.

Signs of Active Exploitation

Cybersecurity researchers have noted striking similarities between this vulnerability and recent incidents reported by ReliaQuest. Their investigation uncovered multiple SAP environments compromised by JSP-based webshells, despite having all current patches installed. These webshells enabled attackers to transfer files and execute code directly on compromised servers.

During incident response, investigators discovered that attackers were using sophisticated techniques:

1. Deployment of Brute Ratel penetration testing tools
2. Implementation of the Heaven’s Gate technique to evade detection systems
3. Execution of malicious code on compromised systems

Widespread Impact and Risk Assessment

The potential impact of this vulnerability cannot be overstated. SAP systems form the backbone of operations for countless global corporations and government agencies worldwide, including the UK government. The widespread adoption of SAP makes this vulnerability particularly attractive to threat actors, especially given its potential to facilitate ransomware deployment.

Immediate Action Required

Security experts strongly recommend that all SAP customers take immediate action:

1. Install the emergency patch immediately
2. Conduct thorough analysis of potentially vulnerable systems
3. Implement additional monitoring for unusual activity
4. Review system logs for signs of compromise

About SAP

SAP is a global leader in enterprise application software, helping companies of all sizes across virtually every industry run at their best. From back office to boardroom, warehouse to storefront, desktop to mobile device, SAP empowers people and organizations to work together efficiently and use business insight effectively. SAP applications and services enable customers to operate profitably, adapt continuously, and grow sustainably.

With over 440,000 customers in more than 180 countries, SAP solutions are used by 92% of the Forbes Global 2000 companies, making any vulnerability in their systems a potential threat to global economic stability.