SAP patches zero day rated 10.0 in NetWeaver – Go Health Pro

SAP released a patch for a critical 10.0 vulnerability in its NetWeaver Visual Composer product that it observed attackers exploiting, uploading malicious webshells.Security experts expressed concern because many Fortune 500 companies and large government agencies use SAP.In a blog post that originally ran April 22 and was updated April 25, ReliaQuest researchers said the bug — CVE-2025-31324 — was initially suspected to be a remote file inclusion (RFI) issue. However, SAP later confirmed it was an unrestricted file upload vulnerability, which lets attackers upload malicious files directly to the system without authorization.ReliaQuest also pointed out that initially the issue appeared linked to exploitation of CVE-2017-9884, a Metadata Uploader bug that could lead to denial-of-service (DoS) attacks and code execution.But once ReliaQuest found the new zero-day, it notified SAP, which released a patch for the vulnerability. ReliaQuest strongly recommended that SAP users update SAP NetWeaver to the latest version.“SAP NetWeaver is the portion that lets organizations create custom web applications,” explained John Bambenek, president at Bambenek Consulting. “It’s typically used to facilitate transactions between organizations and by necessity needs to be Internet facing. If you want to know what a business is doing, what resources they have, and to know how money flows in and out of a company, exploiting their SAP applications is exactly where you want to be.”Beyond patching, Bambenek said security team should put these systems behind a strong web application firewall that can detect remote file inclusion attacks generally, and the underlying operating systems should have EDR installed that looks for web shells in the filesystem.Mayuresh Dani, security research manager at the Qualys Threat Research Unit, said beyond patching, SAP customers should do the following: