Hundreds of SAP Servers at Risk from New Exploit: Report

A new vulnerability in SAP NetWeaver servers has triggered a serious security concern. According to a report by BleepingComputer, over 1,200 internet-exposed systems have been identified as vulnerable, and almost 500 are already compromised.

SAP NetWeaver, widely used by enterprises to connect and run both SAP and non-SAP applications, has been found to contain a critical unauthenticated file upload flaw (CVE-2025-31324). This vulnerability affects the Visual Composer’s Metadata Uploader component and enables remote attackers to upload arbitrary executable files without any authentication. 

According to the report, the flaw is currently being exploited in the wild. Threat actors are using it to plant web shells on vulnerable servers, providing persistent access and control over affected systems. The concerning part is that cybersecurity firms like ReliaQuest, WatchTower, and Onapsis have confirmed active exploitation.

The Shadowserver Foundation has detected at least 427 exposed SAP NetWeaver servers worldwide, with the highest numbers located in the U.S. (149), India (50), Australia (37), and China (31). However, threat intelligence firm Onyphe provided even higher estimates, identifying 1,284 vulnerable servers online. Of these, 474 are believed to have been compromised.

“Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.

It’s important to remember that on April 8, SAP released 18 new Security Notes and two updates, addressing several vulnerabilities across its product portfolio. The main highlights of this release were CVE-2025-31330 and CVE-2025-27429: code injection vulnerabilities in SAP System Landscape Transformation and S/4HANA (CVSS 9.9). 

Apart from that, there’s no development on this matter as of now. But to mitigate the risk, it’s always a good idea to apply the latest security update.