The vulnerability is the result of a Missing Authorisation check in SAP NetWeaver’s Visual Composer development server.
A vulnerability with a critical rating of 10.0 has been registered by SAP.
Tracked as CVE-2025-31324, the vulnerability is the result of a Missing Authorisation check in SAP NetWeaver’s Visual Composer development server. If successfully exploited, an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system.
Benjamin Harris, CEO of watchTowr CEO says the built-in functionality can be abused to upload arbitrary files to an SAP NetWeaver instance, which means full Remote Code Execution and total system compromise.
“This isn’t a theoretical threat - it’s happening right now,” he said. “watchTowr is seeing active exploitation by threat actors, who are using this vulnerability to drop web shell backdoors onto exposed systems and gain further access.
“This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties. If you thought you had time, you don’t.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
