In a high-stakes alert to organizations worldwide, cybersecurity researchers have uncovered a critical flaw in SAP's widely deployed NetWeaver Visual Composer, one that hackers are already actively exploiting. Tracked as CVE-2025-31324, the vulnerability enables unauthenticated attackers to upload malicious executable binaries, granting them an open door into vulnerable systems. What makes this even more alarming is its maximum CVSS severity score of 10, highlighting the urgency of immediate action.

The Hidden Breach: How It Was Found

Researchers at cybersecurity firm Reliaquest first identified the flaw while investigating a series of attacks that involved the upload of JSP webshells to publicly accessible directories in SAP environments. These webshells effectively allow hackers to execute commands on the compromised systems remotely.

Initially, the team suspected this to be a resurfacing of a previously known vulnerability, CVE-2017-9844, or a variant of a remote-file-inclusion (RFI) vulnerability. However, further inspection revealed something far more severe: up-to-date SAP systems were also being compromised, which ruled out older exploits.

“This is either a completely new vulnerability or an expanded attack surface of an old one,” a Reliaquest spokesperson confirmed. “Given that CVE-2017-9844 was primarily linked to DoS and potential RCE without any RFI elements, this is likely a fresh discovery or a widened scope.”

Widespread Implications: Government Systems at Risk

The threat is not just limited to commercial enterprises. SAP NetWeaver technology is widely adopted in government agencies, making these institutions prime targets for state-sponsored or opportunistic cybercriminals. According to Reliaquest, a successful exploitation could offer unauthorized access to internal government networks—a nightmare scenario for any national cybersecurity infrastructure.

In addition to webshells, attackers are leveraging Brute Ratel and Heaven’s Gate, two advanced toolkits used for execution and evasion, making the threat even harder to detect and neutralize.

SAP’s Response: Damage Control in Progress

SAP has acknowledged the vulnerability, confirming it affects certain Java servlets within the Visual Composer framework. While no customer data breaches have been confirmed yet, the company has released a temporary workaround on April 8, with a permanent patch expected by April 30. The company urges customers to apply the upcoming patch without delay.

But despite SAP’s assurances, security vendors are already reporting ongoing, real-time exploitation.

Alarming Numbers: 10,000+ Applications Exposed

According to Onapsis Research Labs, over 10,000 SAP applications accessible from the internet may be vulnerable. Even more concerning, CEO Mariano Nunez revealed that 50% to 70% of these systems likely have the vulnerable component enabled—and many may already be compromised.

Although the vulnerable module is not turned on by default, the widespread reach of SAP’s infrastructure means the margin for error is razor-thin. Onapsis is currently working to confirm the actual number of affected systems.

A Race Against Time

Cybersecurity experts warn that time is running out. “This kind of active, in-the-wild exploitation makes it almost certain that multiple threat actors will jump on this soon,” said Benjamin Harris, CEO of watchTowr. “If you thought you had time, you don’t.”

The clock is ticking. With advanced attackers already inside the perimeter and a global patch rollout still pending, organizations using SAP NetWeaver Visual Composer must act fast to assess, isolate, and patch vulnerable systems—before a minor oversight turns into a catastrophic breach.