SAP NetWeaver Customers Urge to Deploy patches for critical zero-day vulnerabilities

Since the beginning of this week, attackers have exploited critical zero-day vulnerabilities in Visual Composer components of SAP NetWeaver application servers. SAP has released out-of-band fixes available through its support portal and should be applied immediately, especially on systems that are directly exposed to the Internet.

“Unverified attackers can abuse built-in functionality to upload arbitrary files to SAP NetWeaver instances, meaning full remote code execution and total system compromise,” Benjamin Harris, CEO of cybersecurity company Watchtower, told CSO. “This is not a theoretical threat – it’s happening now. WatchTowr is seeing active exploitation of threat actors who exploit this vulnerability to put Web Shell Backoto on exposure systems and gain further access.”

The vulnerability was tracked as CVE-2025-31324 and received 10 maximum severity scores on the CVSS scale. Focusing on the instructions in SAP Note 3596125, customers should apply the fix (authentication is required) in SAP Security Note 3594142, however, if they cannot immediately disable or block access to vulnerable components.