Understanding the Threat: CVE-2025-31324 and Its Impact on SAP NetWeaver

Ransomware gangs have recently turned their attention to a critical vulnerability in the SAP NetWeaver platform, known as CVE-2025-31324. This flaw, found in the Visual Composer component, allows attackers to gain unauthorized access to systems by exploiting a missing authorization check. With a CVSS v3 score of 10, the vulnerability poses a severe threat to organizations using SAP NetWeaver, as it can lead to remote code execution and complete system compromise (BleepingComputer).

The vulnerability is actively being exploited by various threat actors, including ransomware gangs and Chinese APT groups, who use techniques such as webshells and the Brute Ratel C2 framework to maintain persistence and evade detection (Rapid7). Organizations are urged to apply emergency patches released by SAP and consider disabling the Visual Composer component if not in use, to mitigate the risks associated with this vulnerability (Arctic Wolf).

The Vulnerability: CVE-2025-31324

Overview of CVE-2025-31324

CVE-2025-31324 is a critical vulnerability identified in the SAP NetWeaver platform, specifically within the Visual Composer component. This vulnerability has been actively exploited by various threat actors, including ransomware gangs, to gain unauthorized access to systems. The flaw has a CVSS v3 score of 10, indicating its severity and the potential impact on affected systems (BleepingComputer).

The vulnerability arises from a missing authorization check in the Metadata Uploader component of Visual Composer. This oversight allows unauthenticated attackers to upload malicious files to the system by sending specially crafted POST requests to the vulnerable endpoint. Imagine leaving your front door unlocked, allowing anyone to walk in and take control of your home. Similarly, this vulnerability can lead to remote code execution, enabling attackers to execute arbitrary commands on the compromised servers (Rapid7).

Exploitation Techniques

The exploitation of CVE-2025-31324 involves the use of webshells, which are scripts that provide attackers with a backdoor into the compromised system. These webshells are uploaded to the system via the Metadata Uploader component, allowing attackers to execute commands and maintain persistence on the affected servers. The use of webshells is a common technique among threat actors, as it provides them with a stealthy and persistent foothold in the target environment (Security Affairs).

In addition to webshells, attackers have been observed using the Brute Ratel C2 framework, which is a sophisticated command-and-control tool designed to evade detection by security solutions. This framework allows attackers to manage their operations remotely and execute various malicious activities on the compromised systems (BleepingComputer).

Impact on Organizations

The exploitation of CVE-2025-31324 poses significant risks to organizations using SAP NetWeaver. The vulnerability allows attackers to gain remote code execution on vulnerable servers, potentially leading to complete system compromise. This can result in data breaches, service disruptions, and financial losses for affected organizations. Moreover, the vulnerability is being actively targeted by multiple threat groups, increasing the likelihood of successful attacks (Help Net Security).

The compromised SAP systems are often connected to the internal networks of industrial control systems (ICS), which poses additional risks of lateral movement by attackers. This can lead to further compromise of critical infrastructure and potentially cause long-term espionage and service disruptions (BleepingComputer).

Mitigation Strategies

To mitigate the risks associated with CVE-2025-31324, organizations are advised to apply the emergency patches released by SAP on April 24, 2025. These patches address the vulnerability by implementing proper authorization checks in the Metadata Uploader component. Organizations should prioritize patching their systems to prevent exploitation by threat actors (Arctic Wolf).

In addition to patching, organizations should consider disabling the Visual Composer component if it is not actively used in their environment. This can be done by using filters within SAP NetWeaver to reduce the attack surface. Organizations should also implement robust monitoring and detection mechanisms to identify and respond to suspicious activities on their servers (Picus Security).

Threat Actor Involvement

The exploitation of CVE-2025-31324 has attracted the attention of various threat actors, including ransomware gangs and Chinese advanced persistent threat (APT) groups. Notably, the RansomEXX and BianLian ransomware operations have been linked to these attacks. These groups have been observed exploiting the vulnerability to deploy ransomware and other malicious payloads on compromised systems (BleepingComputer).

In addition to ransomware gangs, several Chinese APT groups, including UNC5221, UNC5174, and CL-STA-0048, have been identified as exploiting the vulnerability. These groups are known for their sophisticated cyber-espionage activities and are likely targeting SAP NetWeaver instances to achieve strategic objectives for the People’s Republic of China (PRC) (BleepingComputer).

The involvement of multiple threat actors highlights the widespread interest in exploiting CVE-2025-31324 and underscores the importance of timely patching and robust security measures to protect against these attacks.

Final Thoughts

The exploitation of CVE-2025-31324 underscores the critical need for organizations to stay vigilant and proactive in their cybersecurity measures. With ransomware gangs and sophisticated APT groups actively targeting this vulnerability, the potential for significant damage is high. Organizations must prioritize patching and implement robust security measures to protect their systems from these threats. The involvement of multiple threat actors highlights the widespread interest in exploiting this vulnerability, making timely patching and security enhancements crucial (Help Net Security).

References

• BleepingComputer. (2025). Ransomware gangs join ongoing SAP NetWeaver attacks. https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/
• Rapid7. (2025). ETR: Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324. https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
• Security Affairs. (2025). Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324. https://securityaffairs.com/177522/hacking/experts-warn-of-a-second-wave-of-attacks-targeting-sap-netweaver-bug-cve-2025-31324.html
• Help Net Security. (2025). SAP NetWeaver CVE-2025-31324 exploited. https://www.helpnetsecurity.com/2025/04/28/sap-netweaver-cve-2025-31324-exploited/
• Arctic Wolf. (2025). CVE-2025-31324. https://arcticwolf.com/resources/blog/cve-2025-31324/
• Picus Security. (2025). CVE-2025-31324 SAP NetWeaver remote code execution. https://www.picussecurity.com/resource/blog/cve-2025-31324-sap-netweaver-remote-code-execution