CISA Warns SAP 0-day Vulnerability Exploited in the Wild
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
CISA has added a critical SAP NetWeaver vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 29, 2025.
The zero-day flaw, tracked as CVE-2025-31324, carries a maximum CVSS score of 10.0 and has been actively exploited in the wild since at least March 2025.
CVE-2025-31324: Critical SAP NetWeaver File Upload Flaw
CVE-2025-31324 is an unrestricted file upload vulnerability affecting the Metadata Uploader component in SAP NetWeaver Visual Composer.
The critical flaw allows unauthenticated attackers to upload potentially malicious executable binaries to vulnerable systems. Security researchers have classified this vulnerability under CWE-434 (Unrestricted Upload of File with Dangerous Type).
“This vulnerability exposes the development server to the network without any authentication, meaning attackers can upload malicious files without needing a login,” explained security researchers at Onapsis who observed active exploitation in their global threat intelligence network.
The vulnerability affects SAP NetWeaver Application Server Java (AS Java), specifically targeting the Visual Composer component.
While not installed by default, researchers estimate this component is enabled in 50-70% of Java systems due to its popularity among business process specialists who use it to develop applications without manual coding.
Risk Factors Details Affected ProductsSAP NetWeaver Application Server Java, specifically the Visual Composer component (VCFRAMEWORK 7.50); “developmentserver/metadatauploader” endpoint is vulnerable. ImpactUpload arbitrary files leading to remote code execution (RCE), Full compromiseExploit PrerequisitesNo authentication or special privileges required; attacker only needs network access to the vulnerable endpoint. CVSS 3.1 Score10.0 (Critical)
Security firm ReliaQuest first publicly reported observations of exploitation on April 22, 2025, with evidence suggesting attacks dated back to March 2025.
Threat actors have been observed explicitly targeting the /developmentserver/metadatauploader endpoint to upload JSP webshells that provide backdoor access to compromised systems.
The attack requires no authentication and allows attackers to control the targeted SAP system fully, potentially providing access to sensitive business data, financial records, and personally identifiable information.
According to Onapsis, exploitation can lead to “immediate full compromise” of affected systems and could be used as a foothold to pivot into connected systems.
Following CISA’s addition of CVE-2025-31324 to the KEV catalog, federal agencies subject to Binding Operational Directive (BOD) 22-01 must remediate the vulnerability by May 20, 2025.
The directive, established in November 2021, requires agencies to patch known exploited vulnerabilities according to timelines set by CISA.
SAP released an emergency patch on April 24, 2025, via Security Note #3594142. Organizations unable to immediately patch can implement temporary mitigations detailed in SAP Note #3593336.
SAP has also published an FAQ document to assist customers in identifying potential compromise indicators, such as unfamiliar .jsp, .java, or .class files in specific directories.
Security experts noted that this vulnerability carries significant risk to organizations running SAP NetWeaver systems, particularly those that may not have received the same level of cybersecurity attention as cloud environments.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
CISA Warns SAP 0-day Vulnerability Exploited in the Wild
Author: KaaviyaCISA has added a critical SAP NetWeaver vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 29, 2025.
The zero-day flaw, tracked as CVE-2025-31324, carries a maximum CVSS score of 10.0 and has been actively exploited in the wild since at least March 2025.
CVE-2025-31324: Critical SAP NetWeaver File Upload Flaw
CVE-2025-31324 is an unrestricted file upload vulnerability affecting the Metadata Uploader component in SAP NetWeaver Visual Composer.
The critical flaw allows unauthenticated attackers to upload potentially malicious executable binaries to vulnerable systems. Security researchers have classified this vulnerability under CWE-434 (Unrestricted Upload of File with Dangerous Type).
“This vulnerability exposes the development server to the network without any authentication, meaning attackers can upload malicious files without needing a login,” explained security researchers at Onapsis who observed active exploitation in their global threat intelligence network.
The vulnerability affects SAP NetWeaver Application Server Java (AS Java), specifically targeting the Visual Composer component.
While not installed by default, researchers estimate this component is enabled in 50-70% of Java systems due to its popularity among business process specialists who use it to develop applications without manual coding.
Risk Factors Details Affected ProductsSAP NetWeaver Application Server Java, specifically the Visual Composer component (VCFRAMEWORK 7.50); “developmentserver/metadatauploader” endpoint is vulnerable. ImpactUpload arbitrary files leading to remote code execution (RCE), Full compromiseExploit PrerequisitesNo authentication or special privileges required; attacker only needs network access to the vulnerable endpoint. CVSS 3.1 Score10.0 (Critical)
Security firm ReliaQuest first publicly reported observations of exploitation on April 22, 2025, with evidence suggesting attacks dated back to March 2025.
Threat actors have been observed explicitly targeting the /developmentserver/metadatauploader endpoint to upload JSP webshells that provide backdoor access to compromised systems.
The attack requires no authentication and allows attackers to control the targeted SAP system fully, potentially providing access to sensitive business data, financial records, and personally identifiable information.
According to Onapsis, exploitation can lead to “immediate full compromise” of affected systems and could be used as a foothold to pivot into connected systems.
Following CISA’s addition of CVE-2025-31324 to the KEV catalog, federal agencies subject to Binding Operational Directive (BOD) 22-01 must remediate the vulnerability by May 20, 2025.
The directive, established in November 2021, requires agencies to patch known exploited vulnerabilities according to timelines set by CISA.
SAP released an emergency patch on April 24, 2025, via Security Note #3594142. Organizations unable to immediately patch can implement temporary mitigations detailed in SAP Note #3593336.
SAP has also published an FAQ document to assist customers in identifying potential compromise indicators, such as unfamiliar .jsp, .java, or .class files in specific directories.
Security experts noted that this vulnerability carries significant risk to organizations running SAP NetWeaver systems, particularly those that may not have received the same level of cybersecurity attention as cloud environments.
#Cyber_Security #Cyber_Security_News #Vulnerability #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
