Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw

Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers. SAP NetWeaver is an application server and development platform that runs and connects SAP and non-SAP applications across different technologies. Last week, SAP disclosed an unauthenticated file upload vulnerability, tracked as CVE-2025-31324, in SAP NetWeaver Visual Composer, specifically the Metadata Uploader component. The flaw allows remote attackers to upload arbitrary executable files on exposed instances without authenticating, achieving code execution and full system compromise. Multiple cybersecurity firms, including ReliaQuest, watchTowr, and Onapsis, confirmed the flaw is actively exploited in attacks, with threat actors utilizing it to drop web shells on vulnerable servers. A SAP spokesperson told BleepingComputer that they were aware of these attempts and released a workaround o ... Read full article.