SAP Netweaver Zero-Day Attack

What is the Attack?A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild. This vulnerability affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in full compromise of the targeted system that could significantly affect the confidentiality, integrity, and availability of the targeted system.The vulnerability stems from the SAP NetWeaver Visual Composer Metadata Uploader lacking proper authorization protection, which allows unauthenticated agents to upload potentially malicious executable binaries.CISA has added the CVE to their Known Exploited Vulnerabilities Catalog on April 29, 2025.What is the recommended Mitigation?The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.1x (all SPS). Although the vulnerable component is not included in NetWeaver’s default configuration, SAP security firm Onapsis highlights that it is commonly enabled in many installations. Onapsis BlogSAP has released an emergency patch for this issue on April 24, 2025 https://me.sap.com/notes/3594142What FortiGuard Coverage is available?Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2025-31324.​Antimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.Indicators of Compromise (IOC): FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the SAP NetWeaver Vulnerability (CVE-2025-31324).Incident Response: The FortiGuard Incident Response team is available to assist with any suspected compromise. Experienced a Breach? Let the Fortinet Incident Response Team HelpRead More