Companies using SAP NetWeaver are at high risk due to an actively exploited vulnerability. The NCSC and SAP urge immediate installation of security updates and an emergency patch.
SAP and the Dutch National Cyber Security Center (NCSC) report active exploitation of CVE-2025-31324, a vulnerability in the Visual Composer component of SAP NetWeaver. Attackers use this flaw to gain unauthenticated access to systems. They can then upload malicious files and webshells. With these tools, they obtain persistent access to the system, even after reboots or other interventions.
Emergency Patch
The Digital Trust Center in the Netherlands and SAP emphasize that the emergency patch must be installed immediately. The threat is classified as severe: both the likelihood of exploitation and potential damage are high. The webshells are now actively traded on the dark web, increasing the risk of large-scale attacks.
The vulnerability affects SAP NetWeaver Application Server Java, among others, where Visual Composer is often activated, although it is not installed by default. Visual Composer allows developing applications without programming knowledge, but contains an error in the Metadata Uploader component. This allows criminals to upload files via HTTP requests without logging in.
Active Exploitation
According to security company Onapsis, the flaw has been the target of scanning since January 2025, and successful attacks have been reported since March. Several organizations have confirmed compromise. The US CISA added CVE-2025-31324 to the list of known vulnerabilities being actively exploited on April 29.
In addition to the emergency patch, SAP has also published guidelines for customers who cannot (yet) update. For them, it is possible to completely remove the vulnerable component, among other options. Onapsis and Mandiant have also made scanners and YARA rules available to detect Indicators of Compromise.
SAP users are advised to immediately check their systems for the presence of Visual Composer (VCFRAMEWORK) and to check for suspicious files, such as helper.jsp and cache.jsp. If these are found, the system is likely compromised.