SAP fixes suspected Netweaver zero-day exploited in attacks

SAP has released out-of-band emergency NetWeaver updates to fix a suspected remote code execution (RCE) zero-day flaw actively exploited to hijack servers. The vulnerability, tracked under CVE-2025-31324 and rated critical (CVSS v3 score: 10.0), is an unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. It allows attackers to upload malicious executable files without needing to log in, potentially leading to remote code execution and full system compromise. Though the vendor's bulletin isn't public, ReliaQuest reported earlier this week about an actively exploited vulnerability on SAP NetWeaver Visual Composer, specifically the '/developmentserver/metadatauploader' endpoint, which aligns with CVE-2025-31324. ReliaQuest reported that multiple customers were compromised via unauthorized file uploads on SAP NetWeaver, with the attackers uploading JSP webshells to publicly accessible directories. These uploads enable ... Read full article.