# SAP NetWeaver Zero-Day Allegedly Exploited by Initial Access Broker
A potentially catastrophic zero-day vulnerability in SAP NetWeaver Visual Composer Metadata Uploader has been allegedly exploited, putting thousands of internet-facing applications at risk. Researchers warn that a severe flaw (CVE-2025-31324 with a CVSS score of 10/10) in this feature can be exploited by unauthenticated attackers to upload malicious executable files to the system.
## A Critical Vulnerability
The vulnerability stems from a lack of proper authorization checks, allowing attackers to bypass security measures and execute malicious code on the host system. Once uploaded, these files can be executed remotely, potentially leading to a full compromise of the targeted SAP environment. This is particularly concerning given that thousands of internet-facing applications rely on SAP NetWeaver.
## An Investigation by ReliaQuest
Researchers from ReliaQuest discovered the vulnerability while investigating multiple attacks, some of which led to the compromise of fully patched systems. According to their report:
"On April 22, 2025, ReliaQuest published an investigation into exploitation activity targeting SAP NetWeaver systems, uncovering a critical vulnerability later identified by SAP as “CVE-2025-31324″ with a severity score of 10."
Initially suspected as a remote file inclusion issue, it was confirmed to be an unrestricted file upload vulnerability. SAP subsequently released a patch to address the flaw, which we strongly recommend applying.
## High-Value Targets
SAP systems are high-value targets for attackers due to their use by governments and enterprises. ReliaQuest reported the critical vulnerability to SAP, leading to a patch release. Before public disclosure, ReliaQuest deployed detection mechanisms and enhanced threat visibility to protect customers.
## Exploitation Techniques
Attackers exploited the Metadata Uploader to upload malicious JSP webshells using crafted POST requests. They then executed these files with GET requests to gain full control of the target systems. All webshells were deployed in the same root directory, had similar capabilities, and reused code from a public GitHub RCE project.
"The vulnerability involved in these cases lies in the /developmentserver/metadatauploader endpoint, a feature designed to handle metadata files for application development and configuration in SAP applications within the NetWeaver environment. In theory, it’s supposed to streamline the transfer and processing of files like configuration data or serialized objects."
## A Sophisticated Threat
Attackers used the webshells to run system commands via GET requests, upload files, and maintain persistence. One variant relied on Brute Ratel and Heaven’s Gate to enhance stealth and control, signaling a sophisticated threat aimed at full system compromise and data theft.
In one instance, we observed that it took several days for the attacker to move from initial access to performing follow-up actions."
## An Initial Access Broker?
Based on the delay between initial access and subsequent actions, experts believe that the attacker may be an initial access broker. These brokers typically sell access to compromised organizations via methods such as VPN, RDP, or exploitation of vulnerabilities on cybercriminal forums.
The activity resembles past exploitation of CVE-2017-9844, but due to patched systems, analysts assess with high confidence that an unreported RFI flaw in SAP NetWeaver is being used.
"It currently unconfirmed whether this only impacts specific versions of NetWeaver; however, in the cases where these tactics were observed, the server had the most up-to-date patch."
Stay vigilant and ensure you apply the patch to address this critical vulnerability.