West Houston, TX – April 25, 2025 — A newly confirmed critical vulnerability in SAP NetWeaver is being actively exploited in the wild, allowing attackers to upload web shells and gain persistent, unauthorized access to enterprise systems. The flaw, now identified as CVE-2025-31324, carries a CVSS score of 10.0, the maximum possible severity rating.
At Impress IT Solutions in West Houston, our security experts are urging any business using SAP NetWeaver to act immediately—especially if their systems are running the Visual Composer Metadata Uploader component, which is at the heart of the vulnerability.
“This vulnerability gives attackers the ability to upload malicious files directly to a server—no login, no warning,” said the cybersecurity team at Impress IT. “It’s like leaving the back door wide open with a neon welcome sign.”
What’s the Vulnerability?
The issue is tied to the /developmentserver/metadatauploader endpoint in the SAP NetWeaver environment. This endpoint was found to lack proper authorization controls, allowing attackers to:
- Upload malicious JSP web shells
- Execute remote code on the server
- Establish persistent access
- Exfiltrate sensitive business or customer data
- Deliver advanced post-exploitation tools like Brute Ratel C4
In some cases, attackers have also used the Heaven’s Gate evasion technique to bypass antivirus and endpoint detection systems.
What Makes This Attack So Dangerous?
- It requires no authentication – An attacker doesn’t need credentials to exploit the flaw.
- It affects fully patched systems – Some compromised environments were already up to date, raising concern that attackers exploited the flaw before it was publicly disclosed.
- Initial Access Brokers (IABs) are likely involved – meaning your compromised system could be sold to ransomware gangs or nation-state actors.
- SAP is widely used – From local manufacturing and logistics companies to global corporations, SAP systems are high-value targets for cybercriminals.
How Impress IT Solutions in West Houston Helps
We specialize in enterprise-level IT support and cybersecurity for companies that rely on systems like SAP, Microsoft 365, and more.
Here’s how we’re helping local businesses stay secure:
🛡️ Patch Deployment & Vulnerability Mitigation
We ensure critical patches like SAP’s CVE-2025-31324 update are applied promptly and correctly—even in complex or on-prem environments.
🔍 Compromise Assessment & Log Review
We review server logs and endpoint activity to check for signs of compromise, such as unusual uploads or unauthorized code execution.
🚫 File Upload Restrictions
We audit your environment for unrestricted upload points and apply web application firewall (WAF) rules to prevent exploitation.
👨💻 Threat Intelligence & Monitoring
We use global intelligence feeds to stay updated on active exploits and attack patterns—and we integrate that knowledge into your defenses.
🔐 Endpoint Protection & Post-Exploitation Defense
We deploy EDR solutions to detect and block tools like Brute Ratel and protect against persistence techniques used by advanced attackers.
What You Should Do Now
If your business runs SAP NetWeaver, especially the Visual Composer component, don’t wait. Even if your system seems stable, it may already be compromised.
📌 Update immediately to the patched versions
📌 Block access to unnecessary SAP endpoints from external networks
📌 Contact Impress IT Solutions for a full vulnerability scan and compromise assessment
Cyber Incident Prevention Best Practices For
Your Small Business
