- SAP revealed a 10/10 flaw in the visual composer of Netweaver
- The bug allows threat actors to download malware
- Researchers say that up to 1,200 instances are vulnerable
More than 1,200 SAP instances are likely to be diverted, according to researchers, because a critical vulnerability has been found abused in the wild. Earlier this week, SAP said that it had found a vulnerability to download files not authenticated in the Metadata Downloader of Netweaver Composer.
Visual Composer is a development tool that allows users to create commercial applications on the web without writing code. It is mainly used to create dashboards, forms and interactive reports. The metadata download, on the other hand, is an import tool for external data models (metadata) into the design environment of visual composers. This allows developers to connect to remote data sources (web services, databases or SAP systems).
The Vulnerability SAP found is now followed under the name of CVE-2025-31324. It carries the maximum severity score (10/10) and stems from the fact that the downloader is not protected by an appropriate authorization, allowing non -authenticated actors to download malicious executables.
Fortune 500 at risk
When he discovered the bug, SAP published a bypass solution for the first time, then at the end of April, a patch.
From now on, users are invited to apply it as soon as possible, because several cybersecurity companies have confirmed that the defect was mistreated in nature. According to BleepingComputter, Liviaquet, Watchtowr and Onapsis, are only some of the companies that have observed the buckt exploited in the attacks in which the actors threatened web shells on vulnerable servers.
SAP, however, said that it was not aware of any attack that had had an impact on customer data or systems.
The jury is still on the number of organizations that are really vulnerable. While the Shadowserver Foundation claims that 427 servers are exposed on the internet, onyph says that there are 1,284 cases, 474 of which are already compromised.
“Something like 20 Fortune 500 / Global 500 companies is vulnerable, and many of them are compromised,” said Offret’s Bleeping Comproming Comproming.
Via Bleeping Compompute
