Security researchers warn that hackers are actively exploiting a critical unrestricted-file-upload vulnerability in SAP NetWeaver Visual Composer. 

The vulnerability, tracked as CVE-2025-31324, could allow an unauthenticated user to upload malicious executable binaries. The vulnerability has a severity score of 10.  

Researchers from Reliaquest disclosed the vulnerability to SAP after an investigation uncovered attackers uploading JSP webshells into publicly accessible directories. 

Researchers initially suspected the hackers were exploiting an old vulnerability, tracked as CVE-2017-9844, or an unreported remote-file-inclusion vulnerability. However, Reliaquest observed compromises of up-to-date systems.

“Vulnerability CVE-2017-9844 was designated for DoS and possible RCE (no mention of RFI) with requests to the same URI, and, as such, we feel this is net new or scope expansion,” a Reliaquest spokesperson told Cybersecurity Dive on Tuesday.

Reliaquest researchers warn that the SAP technology is widespread among government agencies and that a successful compromise could give hackers access to government networks. 

Attackers are using Brute Ratel and Heaven’s Gate for execution and evasion, according to Reliaquest. 

An SAP spokesperson confirmed that the company was alerted to a vulnerability in SAP NetWeaver Visual Composer that may have allowed unauthenticated and unauthorized code execution in certain Java Servlets.

The company said it was not aware of any compromises of customer data or systems. It released a workaround on April 8 and is working on a patch that will be available on April 30.  

A spokesperson for SAP confirmed an emergency patch was issued Thursday, which follows the release of the Reliaquest research. Researchers from Reliaquest and Onapsis noted in their blog posts that an emergency patch had been issued.

Despite SAP’s assurances of no immediate impact, security companies are reporting ongoing attempts to exploit the vulnerability. 

Researchers at watchTowr are seeing threat actors drop webshell backdoors and gain further access.

“This active in-the-wild exploitation and widespread impact makes it incredibly likely that we’ll soon see prolific exploitation by multiple parties,” Benjamin Harris, CEO of watchTowr, told Cybersecurity Dive via email. “If you thought you had time, you don’t.”

Onapsis Research Labs has identified more than 10,000 internet-facing SAP applications that may be at risk of breach due to the vulnerability, according to CEO Mariano Nunez. 

Onapsis estimates that “50%-70% of these apps have the vulnerable component enabled and are likely already compromised,” Nunez added.

The vulnerable component is not enabled by default, however, so Onapsis is trying to confirm the number of vulnerable affected systems.

The Cybersecurity and Infrastructure Security Agency is tracking the CVE as part of its standard process, and is working with the vendor and other partners to determine whether additional communications are necessary, a spokesperson told Cybersecurity Dive.