SAP NetWeaver bug exploited since January, allows RCE

The 10.0 SAP NetWeaver Visual Composer flaw that’s exploited hundreds of servers is worse than originally thought. Researchers found the bug was not merely a file upload issue, but a full remote code execution (RCE).

Juan Pablo “JP” Perez-Etchegoyen, chief technology officer at Onapsis, said researchers also recently discovered that threat actors had been probing for vulnerable SAP system since at least Jan. 20 — almost two months earlier than prior reports.

“Most exploits and PoCs [proof-of-concepts] that surfaced over the last several weeks are fake — wrong,” said Perez-Etchegoyen. “The danger of this is that it misleads defenders, assuming systems were patched and confusing their IR playbooks on what to look for. However, it it’s important to stress that organizations should react and apply the patches, since the released patches are effective in preventing the threats that we have seen actively being leveraged against organizations.”

Perez-Etchegoyen said it’s been a very broad campaign, with all types of industries affected by the massive exploitation and compromise of CVE-2025-31324. Here’s the rundown:

Callie Guenther, senior manager, cyber threat researcher at Critical Start, said the SAP case is not an isolated technical risk; rather, it represents an operational and strategic threat vector.

State-aligned groups, including those linked to Chinese cyber espionage activity, have leveraged the vulnerability to deploy persistent access mechanisms like Golang-based SuperShell implants, said Guenther.

“The targets and methods indicate a long-term interest in maintaining access to systems that manage intellectual property, supply chains, and financial data, a typical modus operandi aligned with Chinese state interests in economic and industrial espionage,” said Guenther, an SC Media columnist.

“Many enterprises may be unaware that a breach has already occurred, especially given the low visibility most security teams have into ERP environments compared to endpoints and networks," she continued. "The reality is that ERP systems like SAP NetWeaver function as critical infrastructure for the private sector. A successful compromise here does not simply risk IT downtime — it can undermine procurement, payroll, logistics, and even regulatory compliance.”

A public incident exploiting SAP flaw is "inevitable"

Nic Adams, co-founder and CEO at 0rcus, explained that hundreds of SAP systems across important verticals are already compromised and many environments remain unpatched.

“A major public incident is inevitable,” said Adams. “Any unpatched system should be treated as already compromised.”

Adams said the attackers are operating over standard HTTP channels with no credentials by using POST requests to deliver payloads, then invoking native binaries like curl and bash to deploy secondary tooling.

“Persistence is established early,” said Adams. “Webshells are planted in predictable SAP directories and revisited later. One APT is using a full post-exploitation stack with evasive implants and staged payloads. This is stealth access, not smash-and-grab, since they know the terrain.”

Adams said security teams should do the following: Deploy SAP-aware scanners immediately. Generic tools will miss the signal. Hunt for POST/GET calls to less-visible endpoints. Audit IRJ-rooted directories for rogue .jsp or .class files. Look for SAP Java spawning native OS tools. And, enable low-level telemetry on SAP hosts.

If possible, Adams said teams should isolate or restrict access to the Visual Composer component entirely. Review logs for historical activity and outbound calls. Focus on network containment and endpoint validation over blind patching. Assume backdoors are already planted.