Cybersecurity researchers are piling up evidence that a critical vulnerability affecting German software company SAP’s NetWeaver Visual Composer development server is being exploited in the wild by a range of threat actors.
These include ransomware groups BianLian and RansomwEXX, as well as at least one Chinese nation-state actor known as Chaya_004.
Strong Evidence of Exploitation
The flaw, tracked as CVE-2025-31324, is an unauthenticated file upload vulnerability in the Metadata Uploader component of the SAP NetWeaver Visual Composer Framework version 7.50. It has been allocated the highest severity score by SAP, 10.0 (CVSS v3.1).
When exploited, it allows an unauthenticated attacker to upload potentially malicious executable binaries that could severely harm the host system.
First detected by ReliaQuest on April 22, the vulnerability was publicly disclosed by SAP two days later in a security advisory in which the software maker also released a patch. The advisory is only available to SAP customers.
Evidence of exploitation began to appear quickly. Notably, the Shadowserver Foundation found that over 400 NetWeaver servers were openly exposed to the internet.
No tags.
