SAP NetWeaver was owned for ten weeks before anyone said anything

Ten weeks of silence

Onapsis traces reconnaissance activity back to January 20. Mandiant’s earliest incident response case dates to March 12. SAP shipped the emergency patch on April 24. Ten weeks of active exploitation before the vendor acknowledged the issue publicly. By then, at least 474 systems were already backdoored, five threat groups had running operations, and SAP’s initial workaround guidance (Options 1 and 2 from the original advisory) would later be deprecated on May 12 with a “Do Not Use” label. If your team implemented one of those workarounds in late April and closed the ticket, reopen it.

The vulnerability itself is almost absurd in its simplicity. CVE-2025-31324 is a CVSS 10.0 unauthenticated file upload in the Visual Composer Metadata Uploader component of NetWeaver AS Java 7.50. A single POST request to /developmentserver/metadatauploader drops a JSP webshell into the servlet document root. No credentials. No user interaction. No exploit chain. The file executes immediately with the privileges of the SAP admin account (<sid>adm).

CISA added it to the KEV catalog on April 29 with a May 20 remediation deadline. A second CVE, CVE-2025-42999 (CVSS 9.1, deserialization in the same component), required an additional patch on May 13.

What it means for your environment

Visual Composer is an “optional” component in the same way a smoke detector is optional: it ships as an SCA package (VCFRAMEWORK.SCA) that may have been deployed during initial setup years ago and never revisited, and estimates put it on 50 to 70 percent of internet-facing SAP NetWeaver AS Java deployments. Many organizations don’t know whether it’s installed.

The exposure numbers are bad. Censys found roughly 7,500 internet-facing NetWeaver AS Java instances. Onyphe confirmed 474 were already compromised at disclosure. An attacker target list with 1,800 domains surfaced during the investigation. Over 20 Fortune 500 and Global 500 companies were confirmed vulnerable. Manufacturing was disproportionately represented.

This is not a vulnerability that requires patience or sophistication. A public exploit was released by August 2025. Before that, the webshell deployment was trivial enough that the Qilin ransomware group was exploiting it three weeks before SAP even disclosed. The observed webshells (helper.jsp, cache.jsp, randomized eight-character filenames) land in a directory immediately reachable by the servlet container. There is no second step. A CVSS 10 that actually earns the score.

Who was already inside

The threat actor list reads like a regional briefing.

UNC5221 (China/MSS-linked) deployed KrustyLoader to establish Sliver C2 infrastructure. UNC5174 used a SNOWLIGHT loader chaining into VShell RAT and GOREVERSE. CL-STA-0048, also tracked as Earth Lamia, ran Cobalt Strike across targets in multiple countries. TeamT5 attributed additional activity to APT41/Amoeba. And separately, the Qilin ransomware group (Russian RaaS) was exploiting it before public disclosure.

This is not a case of one group finding a zero-day. This is a case of at least five groups, some of them operating concurrently, all converging on the same endpoint. When that happens, assume your timeline for compromise is shorter than you think.

The SAP patching problem

If this were an Apache Struts flaw, you’d patch it and move on. SAP patching is a different conversation. You’re talking to your change advisory board, not your sysadmin.

SAP environments typically require regression testing against business-critical transactions before applying kernel or component patches. Downtime windows run two to twelve hours depending on the landscape. Many shops schedule SAP patching quarterly, not monthly. The idea of applying an emergency out-of-band fix within days conflicts with how most SAP operations actually work. Attackers know this too; it’s part of why five groups converged on the same endpoint.

The only reliable mitigations are the actual patches (Notes 3594142 and 3604119) or undeploying the vulnerable component entirely.

The compliance dimension

SAP systems in scope for SOX, GDPR, HIPAA, or NIS2 carry reporting obligations when compromised. Because the webshell executes as <sid>adm, an attacker has full administrative control and bypasses SAP’s Segregation of Duties controls. One confirmed victim reported multi-billion dollar profit impact. This is the kind of vulnerability that lands in the board packet, not the JIRA queue.

What you need to do

Step 1: Determine if Visual Composer is installed. Browse to http://<host>:<port>/nwa/sysinfo and look for VCFRAMEWORK.SCA in the component list. If it’s there, you’re in scope.

Step 2: Hunt before you patch. If you patch a compromised system without finding the webshell first, you’ve closed the front door with the intruder already inside. Check these directories for unexpected JSP files:

• j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/
• j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/

Onapsis and Mandiant released an IOC scanner on GitHub (May 2, 2025). Use it. Review HTTP logs for POST requests to /developmentserver/metadatauploader returning 200. If you find any, those are confirmed exploitation attempts.

Step 3: Apply both patches. SAP Note 3594142 (April 24) and SAP Note 3604119 (May 13). The first note alone is not sufficient; CVE-2025-42999 is a deserialization flaw in the same component that requires the second fix.

Step 4: If you cannot patch immediately. Undeploy the devserver_metadataupload_ear application per KBA 3593336, Option 0. Block /developmentserver/metadatauploader at the WAF layer. Do both.

Step 5: Validate. After patching, send an unauthenticated POST to the metadata uploader endpoint. You should get a 403 or 401. If you get a 200, the fix didn’t take.

Step 6: Monitor post-patch. New JSP files appearing after patching indicate the system was compromised before the patch was applied. Set up file integrity monitoring on the servlet directories.

The window

If you haven’t patched yet, you are over a year past initial exploitation and well past the CISA KEV deadline. The public exploit has been available since August 2025. Every scanner on the internet has this in rotation.

The uncomfortable precedent is CVE-2020-6287, the “RECON” vulnerability in the same product line. Also CVSS 10.0. Also unauthenticated. Disclosed in 2020 and still being exploited five years later. SAP environments that don’t get patched tend to stay unpatched for a very long time. The quarterly patching cadence that makes SAP shops slow to respond is the same cadence that makes them attractive targets.

If your SAP landscape is on a quarterly cycle and this wasn’t in the last one, escalate. This is the kind of finding that justifies an emergency change request.

PatchDay Alert tracks SAP advisories alongside the daily CVE digest. Given the history of this product line, CVE-2025-31324 won’t be the last CVSS 10.